Closed
Bug 1265961
Opened 8 years ago
Closed 5 years ago
Fix referrers for subresources in srcdoc iframes
Categories
(Core :: DOM: Core & HTML, defect, P3)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 1534681
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | affected |
People
(Reporter: bzbarsky, Assigned: bzbarsky)
References
(Blocks 2 open bugs)
Details
(Whiteboard: btpp-active)
We seems to use document->GetDocumentURI() as the referrer, in general. But for srcdoc iframes, this is wrong: it should be the referrer URI of the parent document. See https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer step 3 substep 3 subsubstep 3 subsubsubstep 2. I'm going to get tests landed in wpt for this first (because the setup of the referrer-policy tests is nontrivial and needs actual review from their owner over in github), then implement the various changes needed here. https://github.com/w3c/web-platform-tests/pull/2851 tracks that.
Flags: needinfo?(bzbarsky)
|
Assignee | |
Comment 1•8 years ago
|
||
Oh, and note that srcdoc will also need to inherit referrer policy. Need to check how exactly this should work. Now that I'm carefully reading this referrer policy spec, it's got all sorts of issues. :(
|
||
Updated•8 years ago
|
Whiteboard: btpp-active
|
|
Assignee | |
Comment 2•8 years ago
|
||
Another note: the web platform tests for referrer-policy are not really owned and the people who are supposed to take a look at my proposed changes are being AWOL. The answer might just end up being that I push changes without their review and call it a day...
|
||
Comment 3•7 years ago
|
||
I'm enabling a bunch of referrer-policy tests over in bug 1341079. A number of failures are revealed that all appear to be due to srcdoc. I'll need info here once they are enabled and marked expected fail.
See Also: → 1341079
|
|
||
Comment 4•7 years ago
|
||
I've enabled the tests and marked a bunch expected fail due to srcdoc. See: https://hg.mozilla.org/integration/mozilla-inbound/rev/b4f01417998f
|
|
Assignee | |
Comment 5•7 years ago
|
||
Note to self: KeyframeUtils definitely has a place that uses the document URI as referrer.
|
|
||
Comment 6•7 years ago
|
||
Note, we do pull referrer from the principal spec for the non-document worker case. Maybe you could do the same here if we inherit the right principal. I'd love to fix that, though. Getting the referrer from the principal spec is incredibly error prone. See bug 1340694. Long term I plan to expose a "ClientInfo" data structure that can be associated with any environment/environment settings object. So both document and worker would have one. I'm hoping we can make referrer code pull from this ClientInfo data so it just works for all cases.
|
|
Assignee | |
Comment 7•7 years ago
|
||
And SVG's MappedAttrParser. And in fact, all CSS parsing in general. :(
|
|
Assignee | |
Comment 8•7 years ago
|
||
Oh, in terms of fixing this for srcdoc we'll do it by just looking at the parent. Doing it for other things that should "inherit" the referrer will be more complicated. And the hardest (or at least most annoying) part is finding all the places that currently assume referrer URI == document URI and fixing them.
|
||
Updated•6 years ago
|
Priority: -- → P3
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
|
||
Updated•5 years ago
|
Blocks: refactor-referrer-policy-setup
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
|
|
Assignee | |
Updated•5 years ago
|
Flags: needinfo?(bzbarsky)
You need to log in
before you can comment on or make changes to this bug.
Description
•