Use module referrer policy for descendant fetches
Categories
(Core :: JavaScript Engine, task, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox119 | --- | fixed |
People
(Reporter: domfarolino, Assigned: allstars.chh)
Details
Attachments
(5 files, 1 obsolete file)
Steps to reproduce:
The referrer policy delivered on module scripts should be used for their descendant script fetches. See https://github.com/whatwg/html/pull/9210.
|
||
Comment 1•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox::Enterprise Policies' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•11 months ago
|
||
I'd love to know why BugBug thought this belonged in enterprise....
|
||
Comment 3•10 months ago
|
||
This seems to me more like an enhancement than a defect. Marking as new so that dev team can leave they opinion about this. Thank you.
|
||
Updated•10 months ago
|
|
|
||
Updated•10 months ago
|
|
Assignee | |
Updated•10 months ago
|
|
|
Assignee | |
Comment 4•10 months ago
|
||
This implementes the following requirement from the spec:
https://html.spec.whatwg.org/#fetch-a-single-module-script
-
In both cases, let processResponseConsumeBody given response response and null, failure, or a byte sequence bodyBytes be the following algorithm:
-
Let referrerPolicy be the result of parsing the
Referrer-Policyheader given response. -
If referrerPolicy is not the empty string, set options's referrer policy to referrerPolicy.
|
|
Assignee | |
Comment 5•10 months ago
|
||
https://html.spec.whatwg.org/multipage/webappapis.html#hostloadimportedmodule
- If referrer is a Script Record or a Module Record, then:
... - Set fetchOptions to the new descendant script fetch options for referencingScript's fetch options.
See the discussion from
https://github.com/whatwg/html/pull/9210#pullrequestreview-1413230811
https://github.com/whatwg/html/pull/9210#issuecomment-1535490692
|
|
Assignee | |
Comment 6•10 months ago
|
||
https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer
"origin-when-cross-origin":
If the origin of referrerURL and the origin of request’s current URL are the same, then return referrerURL.
Originally the implementation checks if the triggeringPrincipal and the
request's current URL are the same-origin.
But this will cause wrong refererr to be sent in the following case:
document (origin: A) -> static import a JS script called Script1 (origin:B)
Script1 imports (statically) another JS script Script2 (origin: B)
According to the spec, when determining the referrer of Script2,
Script1's origin and Script2's origin should be compared,
but in our implementation, the document's origin and the Script2's
origin are compared.
|
|
Assignee | |
Comment 7•10 months ago
|
||
|
|
Assignee | |
Comment 8•10 months ago
|
||
Suggested by jonco during review,
https://phabricator.services.mozilla.com/D186944#inline-1036982
|
||
Updated•10 months ago
|
|
|
Assignee | |
Comment 9•10 months ago
|
||
https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer
"same-origin"
- If the origin of referrerURL and the origin of request’s current URL are the
same, then return referrerURL. - Return no referrer.
Current implementation compares with triggeringPrincipal and current URI,
which is incorrect for static imports.
Also added some test for same-origin in referrer-policy-for-descendants.sub.html
parentWithSameOrigin:
document(origin A) imports import-referrer-checker.sub.js (origin A),
which imports referrer-checker.py (origin A), so referrerURL
(import-referrer-checker.sub.js) is expected.
remoteParentWithSameOriginWhenCrossOriginSameOriginDescendant:
document(origin A) imports a cross-origin import-referrer-checker.sub.js
(origin B),
which imports referrer-checker.py (origin B),
so referrerURL (import-referrer-checker.sub.js) is expected.
remoteParentWithSameOriginWhenCrossOriginRemoteDescendant:
document(origin A) imports a cross-origin import-referrer-checker.sub.js
(origin B),
which imports referrer-checker.py (origin A),
so "" (no referrer) is expected.
Similar tests can also be found in /html/semantics/scripting-1/the-script-element/module/referrer-same-origin.sub.html
|
|
||
Updated•10 months ago
|
|
|
||
Updated•10 months ago
|
|
||
Comment 10•9 months ago
|
||
Pushed by allstars.chh@gmail.com: https://hg.mozilla.org/integration/autoland/rev/9d342ff0f27c Part 1: Move ReferrerPolicy to ScriptLoadRequest and LoadedScript. r=jonco,smaug https://hg.mozilla.org/integration/autoland/rev/14352d684149 Part 2: Parse the referrer policy from http header and update the referrer policy. r=jonco,smaug https://hg.mozilla.org/integration/autoland/rev/b7254925687d Part 3: Fix "Determine the referrer when the policy is origin-when-cross-origin". r=evilpie https://hg.mozilla.org/integration/autoland/rev/a2b34d63b557 Part 4: Fix "Determine the referrer when the policy is same-origin. r=evilpie https://hg.mozilla.org/integration/autoland/rev/d4266c5fb76c Part 5: Update WPT ini files. r=jonco,evilpie,smaug
|
||
Comment 11•9 months ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/9d342ff0f27c
https://hg.mozilla.org/mozilla-central/rev/14352d684149
https://hg.mozilla.org/mozilla-central/rev/b7254925687d
https://hg.mozilla.org/mozilla-central/rev/a2b34d63b557
https://hg.mozilla.org/mozilla-central/rev/d4266c5fb76c
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/42148 for changes under testing/web-platform/tests
Upstream PR merged by moz-wptsync-bot
Description
•