advance Referrer Policy?

# Emily Stark (a month ago)

Chrome's implementation of Referrer Policy includes the three newest policy values in M61 (www.chromestatus.com/feature/5634117806850048). I believe this brings us to two interoperable implementations, covered by web-platform-tests [https://github.com/w3c/web-platform-tests/tree/master/referrer-policy](https://github.com/w3c/web-platform-tests/tree/master/referrer-policy).

I'm told this means it might be time for a CfC to transition to PR.

Thoughts?

Thanks, Emily

Contact us to advertise here
# Jochen Eisinger (a month ago)

Did Firefox implement the CSS specific bits meanwhile?

# Emily Stark (a month ago)

Not sure -- Dan, do you know?

On Fri, Jul 21, 2017 at 8:55 AM, Jochen Eisinger eisinger@google.com

wrote:

# Franziskus Kiefer (a month ago)

Firefox doesn't implement the CSS bits yet [1]. I'm not sure if this is going to change any time soon.

[1] bugzilla.mozilla.org/show_bug.cgi?id=1330487

# Angelo Liao (16 days ago)

Edge in the current Windows insider build include most of the policies except same-origin, strict-origin, strict-origin-when-cross-origin. Supporting the remaining three is in our roadmap. We don’t intend to implement the CSS bits anytime soon as well. If possible, can we pull out the CSS section from the current CR so that we can transition the spec to PR? In the meantime, we can create a Level 2 and keep the CSS section in there.

From: Franziskus Kiefer [mailto:fkiefer@mozilla.com] Sent: Monday, July 24, 2017 1:29 AM To: Emily Stark estark@google.com Cc: Jochen Eisinger eisinger@google.com; Ann Onimos dveditz@mozilla.com; public-webappsec@w3.org; Mike West mkwst@google.com Subject: Re: advance Referrer Policy?

Firefox doesn't implement the CSS bits yet [1]. I'm not sure if this is going to change any time soon.

[1] bugzilla.mozilla.org/show_bug.cgi?id=1330487

On Sat, Jul 22, 2017 at 11:53 AM, Emily Stark estark@google.com<mailto:estark@google.com> wrote: Not sure -- Dan, do you know?

On Fri, Jul 21, 2017 at 8:55 AM, Jochen Eisinger eisinger@google.com<mailto:eisinger@google.com> wrote: Did Firefox implement the CSS specific bits meanwhile?

On Fri, Jul 21, 2017 at 8:48 AM Emily Stark estark@google.com<mailto:estark@google.com> wrote: Hi all,

Chrome's implementation of Referrer Policy includes the three newest policy values in M61 (www.chromestatus.com/feature/5634117806850048). I believe this brings us to two interoperable implementations, covered by web-platform-tests[https://github.com/w3c/web-platform-tests/tree/master/referrer-policy](https://github.com/w3c/web-platform-tests/tree/master/referrer-policy). I'm told this means it might be time for a CfC to transition to PR.

Thoughts?

Thanks, Emily

# Mike West (15 days ago)

Hrm. I don’t think that removing the expectations for CSS-initiated fetches is the right solution. We need to describe the way those fetches ought to work, and AFAIK, Boris and Jochen put a good amount of effort into coming up with the set of requirements in the document. If the group thinks that those are the right requirements, I’d prefer to see implementations align themselves to that agreement rather than throwing it overboard and leaving the behavior undefined.

Does any vendor object to the requirements set out in w3c.github.io/webappsec-referrer-policy/#integration-with-css? If not, and it's just a question of resourcing, then one option to advance the document may be to reformulate them as non-normative suggestions for the CSS working group if/when they get around to restructuring their specs to cleanly integrate with Fetch?

Another option would, of course, be to simply wait for another vendor to implement. Perhaps Mozilla could be encouraged to poke a bit at their implementation? Looks like 3 of the 7 tests in w3c/web-platform-tests/tree/master/referrer-policy/css-integration pass... Just 4 to go! :)

# Jochen Eisinger (3 days ago)

CSS doesn't really allow for feature detection of how it loads resources off of the network, so sites that care about precise referrer control have to resort to UA sniffing.

So maybe Firefox could indeed just implement that change and we're good to go?

# Daniel Veditz (2 hours ago)

On Tue, Aug 8, 2017 at 11:53 PM, Mike West mkwst@google.com wrote:

Hrm. I don’t think that removing the expectations for CSS-initiated fetches is the right solution. We need to describe the way those fetches ought to work, and AFAIK, Boris and Jochen put a good amount of effort into coming up with the set of requirements in the document. ​​ If the group thinks that those are the right requirements, I’d prefer to see implementations align themselves to that agreement rather than throwing it overboard and leaving the behavior undefined.

​100% agreed: must not be undefined. The spec rules are reasonable​. (The only other choice that would make any sense would be for stylesheets to inherit the referrer policy from the document.) Mozilla won't likely have someone free to work on this for several months.

- ​Dan Veditz​

# Mike West (an hour ago)

On Thu, Aug 24, 2017 at 8:41 AM, Daniel Veditz dveditz@mozilla.com wrote:

On Tue, Aug 8, 2017 at 11:53 PM, Mike West mkwst@google.com wrote:

Hrm. I don’t think that removing the expectations for CSS-initiated fetches is the right solution. We need to describe the way those fetches ought to work, and AFAIK, Boris and Jochen put a good amount of effort into coming up with the set of requirements in the document. ​​ If the group thinks that those are the right requirements, I’d prefer to see implementations align themselves to that agreement rather than throwing it overboard and leaving the behavior undefined.

​100% agreed: must not be undefined. The spec rules are reasonable​. (The only other choice that would make any sense would be for stylesheets to inherit the referrer policy from the document.) Mozilla won't likely have someone free to work on this for several months.

Ok. It seems like there's agreement that the spec is the behavior we want. So we're just waiting on implementations for that specific section.

It looks like WebKit has added support for the remaining referrer policies in their latest technical preview. John, do you know if folks in WebKit have looked at the CSS recommendations in the spec? Is that something y'all think you might find time to work on in the somewhat near future?

If not, I think we're just stuck waiting on this document.

Want more features?

Request early access to our private beta of readable email premium.