Use module referrer policy for descendant fetches
Categories
(Core :: JavaScript Engine, task, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox119 | --- | fixed |
People
(Reporter: domfarolino, Assigned: allstars.chh)
Details
Attachments
(5 files, 1 obsolete file)
Steps to reproduce:
The referrer policy delivered on module scripts should be used for their descendant script fetches. See https://github.com/whatwg/html/pull/9210.
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox::Enterprise Policies' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Comment 2•2 years ago
|
||
I'd love to know why BugBug thought this belonged in enterprise....
Comment 3•2 years ago
|
||
This seems to me more like an enhancement than a defect. Marking as new so that dev team can leave they opinion about this. Thank you.
Updated•2 years ago
|
Updated•2 years ago
|
| Assignee | ||
Updated•2 years ago
|
| Assignee | ||
Comment 4•2 years ago
|
||
This implementes the following requirement from the spec:
https://html.spec.whatwg.org/#fetch-a-single-module-script
-
In both cases, let processResponseConsumeBody given response response and null, failure, or a byte sequence bodyBytes be the following algorithm:
-
Let referrerPolicy be the result of parsing the
Referrer-Policyheader given response. -
If referrerPolicy is not the empty string, set options's referrer policy to referrerPolicy.
| Assignee | ||
Comment 5•2 years ago
|
||
https://html.spec.whatwg.org/multipage/webappapis.html#hostloadimportedmodule
- If referrer is a Script Record or a Module Record, then:
... - Set fetchOptions to the new descendant script fetch options for referencingScript's fetch options.
See the discussion from
https://github.com/whatwg/html/pull/9210#pullrequestreview-1413230811
https://github.com/whatwg/html/pull/9210#issuecomment-1535490692
| Assignee | ||
Comment 6•2 years ago
|
||
https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer
"origin-when-cross-origin":
If the origin of referrerURL and the origin of request’s current URL are the same, then return referrerURL.
Originally the implementation checks if the triggeringPrincipal and the
request's current URL are the same-origin.
But this will cause wrong refererr to be sent in the following case:
document (origin: A) -> static import a JS script called Script1 (origin:B)
Script1 imports (statically) another JS script Script2 (origin: B)
According to the spec, when determining the referrer of Script2,
Script1's origin and Script2's origin should be compared,
but in our implementation, the document's origin and the Script2's
origin are compared.
| Assignee | ||
Comment 7•2 years ago
|
||
| Assignee | ||
Comment 8•2 years ago
|
||
Suggested by jonco during review,
https://phabricator.services.mozilla.com/D186944#inline-1036982
Updated•2 years ago
|
| Assignee | ||
Comment 9•2 years ago
|
||
https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer
"same-origin"
- If the origin of referrerURL and the origin of request’s current URL are the
same, then return referrerURL. - Return no referrer.
Current implementation compares with triggeringPrincipal and current URI,
which is incorrect for static imports.
Also added some test for same-origin in referrer-policy-for-descendants.sub.html
parentWithSameOrigin:
document(origin A) imports import-referrer-checker.sub.js (origin A),
which imports referrer-checker.py (origin A), so referrerURL
(import-referrer-checker.sub.js) is expected.
remoteParentWithSameOriginWhenCrossOriginSameOriginDescendant:
document(origin A) imports a cross-origin import-referrer-checker.sub.js
(origin B),
which imports referrer-checker.py (origin B),
so referrerURL (import-referrer-checker.sub.js) is expected.
remoteParentWithSameOriginWhenCrossOriginRemoteDescendant:
document(origin A) imports a cross-origin import-referrer-checker.sub.js
(origin B),
which imports referrer-checker.py (origin A),
so "" (no referrer) is expected.
Similar tests can also be found in /html/semantics/scripting-1/the-script-element/module/referrer-same-origin.sub.html
Updated•2 years ago
|
Updated•2 years ago
|
Comment 10•2 years ago
|
||
Comment 11•2 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/9d342ff0f27c
https://hg.mozilla.org/mozilla-central/rev/14352d684149
https://hg.mozilla.org/mozilla-central/rev/b7254925687d
https://hg.mozilla.org/mozilla-central/rev/a2b34d63b557
https://hg.mozilla.org/mozilla-central/rev/d4266c5fb76c
Description
•