Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to implement: Support Referrer Policy for <script> elements
61 views
Skip to first unread message
Thomas Nguyen
Oct 31, 2018, 10:04:18 AM10/31/18
to dev-pl...@lists.mozilla.org
Summary: This implementation adds Referrer Policy support to the <script>
element, so it is technically possible to speculatively load script with a
referrerpolicy attribute.
Bug: <https://bugzilla.mozilla.org/show_bug.cgi?id=1330487>
https://bugzilla.mozilla.org/show_bug.cgi?id=1460920
Link to standard: https://github.com/w3c/webappsec-referrer-policy/issues/96
Platform coverage: All platforms.
Estimated or target release: 66
Is this feature enabled by default in sandboxed iframes? Yes.
DevTools bug: There is already a general DevTools bug which allows to
display referrer policy for a given request, see:
https://bugzilla.mozilla.org/show_bug.cgi?id=1496742
Do other browser engines implement this? Chromium, see:
https://www.chromestatus.com/feature/5227651627220992
Is this feature restricted to secure contexts? No.
Web-platform-tests: Yes; currently disabled in our codebase
https://searchfox.org/mozilla-central/search?q=script-tag%2Finsecure-protocol.keep-origin-redirect.http.html&path=
--
Best regards,
=====================================================
Thomas Nguyen
IRC : tng...@irc.mozilla.com
Slack: tnguyen
Email: tng...@mozilla.com
=====================================================
element, so it is technically possible to speculatively load script with a
referrerpolicy attribute.
Bug: <https://bugzilla.mozilla.org/show_bug.cgi?id=1330487>
https://bugzilla.mozilla.org/show_bug.cgi?id=1460920
Link to standard: https://github.com/w3c/webappsec-referrer-policy/issues/96
Platform coverage: All platforms.
Estimated or target release: 66
Is this feature enabled by default in sandboxed iframes? Yes.
DevTools bug: There is already a general DevTools bug which allows to
display referrer policy for a given request, see:
https://bugzilla.mozilla.org/show_bug.cgi?id=1496742
Do other browser engines implement this? Chromium, see:
https://www.chromestatus.com/feature/5227651627220992
Is this feature restricted to secure contexts? No.
Web-platform-tests: Yes; currently disabled in our codebase
https://searchfox.org/mozilla-central/search?q=script-tag%2Finsecure-protocol.keep-origin-redirect.http.html&path=
--
Best regards,
=====================================================
Thomas Nguyen
IRC : tng...@irc.mozilla.com
Slack: tnguyen
Email: tng...@mozilla.com
=====================================================
James Graham
Nov 1, 2018, 6:28:11 AM11/1/18
to dev-pl...@lists.mozilla.org
On 31/10/2018 14:03, Thomas Nguyen wrote:
> Summary: This implementation adds Referrer Policy support to the <script>
> element, so it is technically possible to speculatively load script with a
> referrerpolicy attribute.
> Summary: This implementation adds Referrer Policy support to the <script>
> element, so it is technically possible to speculatively load script with a
> referrerpolicy attribute.
> Web-platform-tests: Yes; currently disabled in our codebase
>
> https://searchfox.org/mozilla-central/search?q=script-tag%2Finsecure-protocol.keep-origin-redirect.http.html&path=
I can't see from the search where the tests are disabled, but I do
>
> https://searchfox.org/mozilla-central/search?q=script-tag%2Finsecure-protocol.keep-origin-redirect.http.html&path=
remember there were some problems with those referrer policy tests in
the past, so maybe I am overlooking something. In any case I presume we
will ensure that they are working as part of the implementation work?
Do we have any idea of whether the existing tests provide sufficient
coverage of the feature?
Thomas Nguyen
Nov 1, 2018, 7:04:13 AM11/1/18
to ja...@hoppipolla.co.uk, dev-pl...@lists.mozilla.org
The link
https://searchfox.org/mozilla-central/search?q=script-tag%2Finsecure-protocol.keep-origin-redirect.http.html&path=
is not covered all the tests. Thanks James for pointing it out.
In fact, we have synced all script-tag tests which were added in
https://github.com/web-platform-tests/wpt/pull/10976/commits/78a3837eb9cc4fb1bd55f21a9823eda82694d3d2
The tests should provide sufficient coverage of the feature. All the tests
are disabled now, for example:
https://searchfox.org/mozilla-central/source/testing/web-platform/meta/referrer-policy/no-referrer/attr-referrer/cross-origin/http-http/script-tag
https://searchfox.org/mozilla-central/source/testing/web-platform/tests/referrer-policy/no-referrer/attr-referrer/cross-origin/http-http/script-tag
https://searchfox.org/mozilla-central/source/testing/web-platform/meta/referrer-policy/origin/attr-referrer/cross-origin/http-http/script-tag
https://searchfox.org/mozilla-central/source/testing/web-platform/meta/referrer-policy/origin/attr-referrer/same-origin/http-http/script-tag
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
https://searchfox.org/mozilla-central/search?q=script-tag%2Finsecure-protocol.keep-origin-redirect.http.html&path=
is not covered all the tests. Thanks James for pointing it out.
In fact, we have synced all script-tag tests which were added in
https://github.com/web-platform-tests/wpt/pull/10976/commits/78a3837eb9cc4fb1bd55f21a9823eda82694d3d2
The tests should provide sufficient coverage of the feature. All the tests
are disabled now, for example:
https://searchfox.org/mozilla-central/source/testing/web-platform/meta/referrer-policy/no-referrer/attr-referrer/cross-origin/http-http/script-tag
https://searchfox.org/mozilla-central/source/testing/web-platform/tests/referrer-policy/no-referrer/attr-referrer/cross-origin/http-http/script-tag
https://searchfox.org/mozilla-central/source/testing/web-platform/meta/referrer-policy/origin/attr-referrer/cross-origin/http-http/script-tag
https://searchfox.org/mozilla-central/source/testing/web-platform/meta/referrer-policy/origin/attr-referrer/same-origin/http-http/script-tag
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
James Graham
Nov 1, 2018, 7:24:54 AM11/1/18
to Thomas Nguyen, dev-pl...@lists.mozilla.org
On 01/11/2018 11:03, Thomas Nguyen wrote:
> The link
> https://searchfox.org/mozilla-central/search?q=script-tag%2Finsecure-protocol.keep-origin-redirect.http.html&path=
> is not covered all the tests. Thanks James for pointing it out.
> In fact, we have synced all script-tag tests which were added in
> https://github.com/web-platform-tests/wpt/pull/10976/commits/78a3837eb9cc4fb1bd55f21a9823eda82694d3d2
> The tests should provide sufficient coverage of the feature. All the
> tests are disabled now, for example:
It looks like the tests are marked as expected: FAIL rather than
> The link
> https://searchfox.org/mozilla-central/search?q=script-tag%2Finsecure-protocol.keep-origin-redirect.http.html&path=
> is not covered all the tests. Thanks James for pointing it out.
> In fact, we have synced all script-tag tests which were added in
> https://github.com/web-platform-tests/wpt/pull/10976/commits/78a3837eb9cc4fb1bd55f21a9823eda82694d3d2
> The tests should provide sufficient coverage of the feature. All the
> tests are disabled now, for example:
disabled, and checking treeherder I'm finding results so I think they
are indeed already running (sorry if this is a bit pedantic, I was just
making sure I understood the situation).
Thomas Nguyen
Nov 1, 2018, 11:58:58 AM11/1/18
to ja...@hoppipolla.co.uk, dev-pl...@lists.mozilla.org
Oh, you are right, sorry that I used confusing words. After implementation,
we expect they are all passed as OK, not FAIL.
we expect they are all passed as OK, not FAIL.
0 new messages