7032 2009-06-17 21:02:30 +0000 Sandboxing and Referer 2010-10-04 14:55:13 +0000 1 1 1 Unclassified HTML WG pre-LC1 HTML5 spec (editor: Ian Hickson) unspecified All All VERIFIED NEEDSINFO NoReply P2 normal --- 1 annevk ian mike public-html-admin public-html-wg-issue-tracking w3c public-html-bugzilla oldest_to_newest 25595 0 annevk 2009-06-17 21:02:30 +0000 The Referer header should probably be affected in a sandboxed <iframe> that have the sandboxed origin browsing context flag set. Depending on what HTTPbis does it might need to about:blank (I think). 25596 1 ian 2009-06-17 22:36:59 +0000 why? 25598 2 w3c 2009-06-18 00:50:34 +0000 I think the thought process goes like this: Premise 1) Referer can be used as a credential. Premise 2) Sandboxed iframes should't get the credentials of their origin (e.g., they get some unique origin). ------------- Conclusion: Sandboxed iframes shouldn't get a Referer. Do you disagree with one of the premises? 25600 3 ian 2009-06-18 07:46:32 +0000 I disagree with the first premise, and with the implication that the referrer is necessarily related to the origin. I think I'm also confused with what refererrs we're talking about here. The original one for the page load during navigation? Subsequent ones for sub resources? Referrers for further navigations? 25612 4 w3c 2009-06-19 00:21:33 +0000 [reordered] > I think I'm also confused with what refererrs we're talking about here. The > original one for the page load during navigation? Nope. > Subsequent ones for sub resources? Referrers for further navigations? Yes. What one might call the "outgoing referrer" for the page. > I disagree with the first premise, and with the implication that the referrer > is necessarily related to the origin. I think that's a reasonable position. I'll let others who feel more strongly about this issue express their points of view. 25615 5 annevk 2009-06-19 08:41:10 +0000 (FWIW, the others would be Tyler Close and Mark S. Miller both not cc'ed on this bug.) 25691 6 ian 2009-06-26 09:15:48 +0000 I intend to WONTFIX this unless further information can be provided to explain why Referrer information for internal references to external resources within a sandboxed iframe should be dropped. It seems bad to have a context that is referrer-free; it would make it impossible, for instance, for a site to referrer-protect their images against third-party sites if those images are used in any sandboxed frame within the site itself. 33122 7 mjs 2010-03-14 14:48:17 +0000 This bug predates the HTML Working Group Decision Policy. If you are satisfied with the resolution of this bug, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy.html This bug is now being moved to VERIFIED. Please respond within two weeks. If this bug is not closed, reopened or escalated within two weeks, it may be marked as NoReply and will no longer be considered a pending comment.