1399780 - Preloads ignore referrer polices

Status: RESOLVED FIXED

(Core :: DOM: Security, enhancement, P2)

Description

[Franziskus Kiefer [:franziskus]]

In bug 1397064 we learned that Firefox preloads ignore referrer policies when set as attributes. This shouldn't happen.
Referrer policies set in attributes or in the header should be used when performing preloads. Referrer policies set in the meta tag are ignored by preloads.

Comment 1

[Thomas Nguyen (:tnguyen)]

(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #0)
> In bug 1397064 we learned that Firefox preloads ignore referrer policies
> when set as attributes. This shouldn't happen.
> Referrer policies set in attributes or in the header should be used when
> performing preloads. Referrer policies set in the meta tag are ignored by
> preloads.

I guess you are talking about preload in speculative parser/loading (1) (not <link rel="preload" (2)), bug 1384493 fixed one of (1) for link, but I guess we already supported for image and script. It seems we still don't support (2) and I don't know if there's any explicit spec about that

Comment 2

[Daniel Veditz [:dveditz]]

The document referrer policy should apply to all loads triggered by the document unless overridden by a referrerpolicy attribute on a specific element (in which case that one applies).

We need testcases for this so we know what's broken. P2 for the testcase; we can decide the priority for fixing them after that (but probably P3).

Comment 3

[Thomas Nguyen (:tnguyen)]

Attachment: Bug 1399780 - Add a test that referrerpolicy attributes are honoured correctly in speculative loading

Review commit: https://reviewboard.mozilla.org/r/189518/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/189518/

Comment 4

[Thomas Nguyen (:tnguyen)]

Referrerpolicy attr is honoured correctly in speculative loading of img and style.
We also support referrer policy in rel=preload, but we are missing a test case of that. I would like to file a new bug (Bug 1408347) to add a rel=preload test, because rel=preload seems to be ignored in speculative loading at the moment Bug 1393540.

Comment 5

[Thomas Nguyen (:tnguyen)]

(In reply to Thomas Nguyen[:tnguyen] ni? plz from comment #3)
> Created attachment 8918716 [details]
> Bug 1399780 - Add a test that referrerpolicy attributes are honoured
> correctly in speculative loading
> 
> Review commit: https://reviewboard.mozilla.org/r/189518/diff/#index_header
> See other reviews: https://reviewboard.mozilla.org/r/189518/

Christoph, could you please take a look at the patch? Thanks

Comment 6

[Christoph Kerschbaumer [:ckerschb}]

Comment on attachment 8918716 [details]
Bug 1399780 - Add a test that referrerpolicy attributes are honoured correctly in speculative loading

https://reviewboard.mozilla.org/r/189518/#review195284

thanks, r=me, but please remove the meta referrer policy from top

::: dom/base/test/file_bug704320_preload_attr.html:9
(Diff revision 1)
> +Test whether the speculative parser should use the referrerpolicy attribute
> +https://bugzilla.mozilla.org/show_bug.cgi?id=1399780
> +-->
> +<head>
> +  <meta charset="utf-8">
> +  <meta name="referrer" content="unsafe-url">

please remove that meta tag.

Comment 7

[Thomas Nguyen (:tnguyen)]

Comment on attachment 8918716 [details]
Bug 1399780 - Add a test that referrerpolicy attributes are honoured correctly in speculative loading

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/189518/diff/1-2/

Comment 8

[Pulsebot]

Pushed by tnguyen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5fdebd6d25a5
Add a test that referrerpolicy attributes are honoured correctly in speculative loading r=ckerschb

Comment 9

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/5fdebd6d25a5