Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

import() should use referring script's base URL as the referrer #3744

Closed
domenic opened this issue Jun 6, 2018 · 8 comments · Fixed by #9407
Closed

import() should use referring script's base URL as the referrer #3744

domenic opened this issue Jun 6, 2018 · 8 comments · Fixed by #9407
Labels
normative change topic: script

Comments

@domenic
Copy link
Member

domenic commented Jun 6, 2018

Right now we treat import() as a "new" module script graph, i.e. it calls fetch a module script graph directly. This then uses "client" as the referrer, i.e. it uses the base URL of the appropriate settings object.

But this seems semantically wrong. import() knows what script it's being called from; it uses that information to compute URLs and and fetch options. It should also use that to compute the referrer information.

Found by @jonco3. /cc @whatwg/modules. I will try to work on a spec fix and tests for this soon...
@nhiroki
Copy link
Contributor

nhiroki commented Jun 12, 2018

/cc @hiroshige-g @nyaxt and me. We're now adding WPTs for referrer on module workers.

@domfarolino
Copy link
Member

Any update on the status here (tests or spec)?

@domenic
Copy link
Member Author

domenic commented May 11, 2020

It looks like the spec still does not do this, but it would be much easier to change now. I think it's just a matter of changing https://html.spec.whatwg.org/multipage/webappapis.html#fetch-an-import()-module-script-graph step 3 to pass base URL instead of "client".

@nhiroki
Copy link
Contributor

nhiroki commented May 14, 2020
edited
Loading

Regarding the tests, we have auto-generated tests for top-level worker module script loading, but not yet for import() IIUC:
https://github.com/web-platform-tests/wpt/blob/451adc0f8a2a76b97c74ff3471b0e068164e9eb8/referrer-policy/spec.src.json#L656

@nhiroki
Copy link
Contributor

nhiroki commented May 14, 2020
edited
Loading

Ah, I just remembered there're also hand-written tests including import():

It would be nice to move these tests into the test generator framework.

@nicolo-ribaudo nicolo-ribaudo mentioned this issue Sep 5, 2022
Merged
@domenic domenic mentioned this issue Apr 26, 2023
Merged
3 tasks
@nicolo-ribaudo
Copy link
Contributor

I was testing this issue, and it looks like Firefox implements the proposed behavior while Webkit and Chromium implement the specified behavior.

I was looking at wpt tests, but I couldn't find any. Would it be ok to just duplicate all the referrer-* tests in https://github.com/web-platform-tests/wpt/tree/master/html/semantics/scripting-1/the-script-element/module, to test the referrer when:

  • using static import in an imported external module
  • using dynamic import in an imported external module

Should the tests include all the referrer policy combinations, or given that this change would affect which referrer is passed and not when it would be enough to test the default one?

@annevk
Copy link
Member

annevk commented Jun 9, 2023
edited
Loading

Duplicating (or abstracting) sounds fine. And no need to test all combinations. Thanks!

This was referenced Jun 9, 2023
Merged
Merged
@nicolo-ribaudo
Copy link
Contributor

Thank you! PR opened.

domenic pushed a commit that referenced this issue Jul 4, 2023
@nicolo-ribaudo
Propagate fetch referrer in dynamic imports
d134086 
Remove the explicit non-propagation of the referrer for dynamic import() calls, and fix #3744. By doing so, we align fetching static and dynamic imports.
rubberyuzu pushed a commit to rubberyuzu/html that referenced this issue Jul 20, 2023
@nicolo-ribaudo
Propagate fetch referrer in dynamic imports
0cca49d 
Remove the explicit non-propagation of the referrer for dynamic import() calls, and fix whatwg#3744. By doing so, we align fetching static and dynamic imports.
rubberyuzu pushed a commit to rubberyuzu/html that referenced this issue Jul 21, 2023
@nicolo-ribaudo
Propagate fetch referrer in dynamic imports
3523617 
Remove the explicit non-propagation of the referrer for dynamic import() calls, and fix whatwg#3744. By doing so, we align fetching static and dynamic imports.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
normative change topic: script
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Propagate fetch referrer in dynamic imports nicolo-ribaudo/html
5 participants
@domenic @nhiroki @annevk @nicolo-ribaudo @domfarolino