Intent to Implement & Ship: Referrer Policy header for CSS
68 views
Skip to first unread message
Jochen Eisinger
Feb 6, 2017, 5:14:31 AM2/6/17
to blink-dev, Boris Zbarsky, Emily Stark
Contact emails
Spec
Summary
Stylesheets loaded from the network will get their own referrer policy instead of inheriting it from the owner document. The policy can be set via the referrer policy header.
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes
Debuggability
Referrer policies are exposed in the network panel of devtools.
Interoperability and Compatibility Risk
If a site relies on setting the referrer policy for stylesheets via inheritance from a document, they'll have to send a header instead. Also, they relied on previously unspec'ed behavior...
Edge: No signals
Firefox: Public support: working with +Boris Zbarsky to get the wording right here: https://github.com/w3c/webappsec-referrer-policy/pull/92 - I'll just count that as public support of the general idea
Safari: No signals
Web developers: No signals
OWP launch tracking bug
Entry on the feature dashboard
https://www.chromestatus.com/features/5639972996513792 (reusing existing entry for Referrer Policy header support)
Dimitri Glazkov
Feb 6, 2017, 10:22:14 AM2/6/17
to Jochen Eisinger, blink-dev, Boris Zbarsky, Emily Stark
LGTM1
Chris Harrelson
Feb 8, 2017, 12:20:44 PM2/8/17
to Dimitri Glazkov, Jochen Eisinger, blink-dev, Boris Zbarsky, Emily Stark
LGTM2
LGTM1
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
PhistucK
Feb 8, 2017, 1:20:00 PM2/8/17
to Chris Harrelson, Dimitri Glazkov, Jochen Eisinger, blink-dev, Boris Zbarsky, Emily Stark
Are you going to send an intent to remove for the inheritance part (and a dashboard entry for it)?
I think you should.
☆PhistucK
Rick Byers
Feb 8, 2017, 1:53:57 PM2/8/17
to PhistucK, Chris Harrelson, Dimitri Glazkov, Jochen Eisinger, blink-dev, Boris Zbarsky, Emily Stark
LGTM3
On Wed, Feb 8, 2017 at 1:19 PM, PhistucK <phis...@gmail.com> wrote:
Are you going to send an intent to remove for the inheritance part (and a dashboard entry for it)?I think you should.☆PhistucKOn Wed, Feb 8, 2017 at 7:20 PM, Chris Harrelson <chri...@chromium.org> wrote:LGTM2On Mon, Feb 6, 2017 at 7:22 AM, Dimitri Glazkov <dgla...@chromium.org> wrote:LGTM1On Mon, Feb 6, 2017 at 2:14 AM Jochen Eisinger <joc...@chromium.org> wrote:
Was there some follow-up somewhere else? There's not actually any review response about referrer policy there as far as I can see.
SummaryStylesheets loaded from the network will get their own referrer policy instead of inheriting it from the owner document. The policy can be set via the referrer policy header.Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?YesDebuggabilityReferrer policies are exposed in the network panel of devtools.Interoperability and Compatibility RiskIf a site relies on setting the referrer policy for stylesheets via inheritance from a document, they'll have to send a header instead. Also, they relied on previously unspec'ed behavior...
I guess there's some potential compat risk here, but it's hard to quantify (since it depends almost entirely on server behavior) - right? It seems reasonable to expect that the risk is low, but we should be prepared to re-evaluate if we get reports of real breakage.
Please make sure this gets mentioned in the deprecations blog post. IMHO that's what's important about the "deprecations" process (otherwise this seems small / low-risk enough that I don't see a need for a separate intent / dashboard entry).
Edge: No signalsFirefox: Public support: working with +Boris Zbarsky to get the wording right here: https://github.com/w3c/webappsec-referrer-policy/pull/92 - I'll just count that as public support of the general ideaSafari: No signalsWeb developers: No signalsOWP launch tracking bug
I marked this as a "OWP-Type-ChangeBehavior" bug. Please add the correct milestone once it's landed and known to be shipping (so it shows up in searches for OWP changes in that milestone).
Jochen Eisinger
Feb 15, 2017, 11:49:15 AM2/15/17
to Rick Byers, PhistucK, Chris Harrelson, Dimitri Glazkov, blink-dev, Boris Zbarsky, Emily Stark
On Wed, Feb 8, 2017 at 7:53 PM Rick Byers <rby...@chromium.org> wrote:
LGTM3On Wed, Feb 8, 2017 at 1:19 PM, PhistucK <phis...@gmail.com> wrote:Are you going to send an intent to remove for the inheritance part (and a dashboard entry for it)?I think you should.☆PhistucKOn Wed, Feb 8, 2017 at 7:20 PM, Chris Harrelson <chri...@chromium.org> wrote:LGTM2On Mon, Feb 6, 2017 at 7:22 AM, Dimitri Glazkov <dgla...@chromium.org> wrote:LGTM1On Mon, Feb 6, 2017 at 2:14 AM Jochen Eisinger <joc...@chromium.org> wrote:Was there some follow-up somewhere else? There's not actually any review response about referrer policy there as far as I can see.
I actually don't know whether there's something on record. The tl;dr version is that relaxing referrer restrictions is considered to be helping websites move to https without running the risk of losing attribution.
With that in mind, referrer controls were removed from CSP as CSP is supposed to always restrict things, and we now have a separate header to control referrer policies.
SummaryStylesheets loaded from the network will get their own referrer policy instead of inheriting it from the owner document. The policy can be set via the referrer policy header.Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?YesDebuggabilityReferrer policies are exposed in the network panel of devtools.Interoperability and Compatibility RiskIf a site relies on setting the referrer policy for stylesheets via inheritance from a document, they'll have to send a header instead. Also, they relied on previously unspec'ed behavior...I guess there's some potential compat risk here, but it's hard to quantify (since it depends almost entirely on server behavior) - right? It seems reasonable to expect that the risk is low, but we should be prepared to re-evaluate if we get reports of real breakage.Please make sure this gets mentioned in the deprecations blog post. IMHO that's what's important about the "deprecations" process (otherwise this seems small / low-risk enough that I don't see a need for a separate intent / dashboard entry).
Sure, I'll make sure that this gets covered.
Edge: No signalsFirefox: Public support: working with +Boris Zbarsky to get the wording right here: https://github.com/w3c/webappsec-referrer-policy/pull/92 - I'll just count that as public support of the general ideaSafari: No signalsWeb developers: No signalsOWP launch tracking bugI marked this as a "OWP-Type-ChangeBehavior" bug. Please add the correct milestone once it's landed and known to be shipping (so it shows up in searches for OWP changes in that milestone).
Will do
--Entry on the feature dashboardhttps://www.chromestatus.com/features/5639972996513792 (reusing existing entry for Referrer Policy header support)
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Jochen Eisinger
Mar 29, 2017, 7:19:05 AM3/29/17
to Rick Byers, PhistucK, Chris Harrelson, Dimitri Glazkov, blink-dev, Boris Zbarsky, Emily Stark
fyi, this has landed now (including web platform tests)
Reply all
Reply to author
Forward
0 new messages