This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 25973 - CORS preflight referrer header.
Summary: CORS preflight referrer header.
Status: RESOLVED FIXED
Alias: None
Product: WHATWG
Classification: Unclassified
Component: Fetch (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 normal
Target Milestone: Unsorted
Assignee: Anne
QA Contact: sideshowbarker+fetchspec
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-04 08:27 UTC by Mike West
Modified: 2014-06-13 09:45 UTC (History)
2 users (show)

See Also:


Attachments

Description Mike West 2014-06-04 08:27:04 UTC
The current referrer policy hook is the first step of HTTP fetch. I believe this means that the preflight request will have an unmodified referrer header. Is that intentional? It seems wrong.

We should probably move the hook somewhere higher up (or just duplicate it for the prefetch, whichever you prefer).
Comment 1 Anne 2014-06-04 08:40:32 UTC
Yeah, the problem is that I don't quite know what the referrer argument to Fetch should be. Currently HTML has a  "referrer source" concept which is either a URL or a Document. Fetch gets a Window already (through client) which seems somewhat redundant with the "referrer source" concept so I wonder if we can do some convergence there.

However, CORS preflight fetch invokes HTTP fetch to do the preflight so that part seems fine, no?
Comment 2 Mike West 2014-06-04 09:51:00 UTC
You're right, pushing the preflight fetch through the HTTP fetch algorithm solves the issue. Sorry I missed that detail.

Regarding the 'referrer source' concept, is there any case in which a request can be made with a referrer source other than the JavaScript global environment which generated the request?
Comment 3 Anne 2014-06-04 10:11:04 UTC
Yeah, e.g. style sheets want to use their own URL and not the URL of the environment they're associated with. SVG embedded as image fetching subresources would want to do the same. The SVG WG is notoriously bad at actually defining these things carefully though.
Comment 4 Mike West 2014-06-04 10:33:55 UTC
Hrm. Both those cases seem strange.
Comment 5 Anne 2014-06-11 14:16:30 UTC
I have ended up moving the referrer hook higher up by the way.

The rationale is that I'd like Request to have a referrer field that service worker can rely on (a header would only be included in network requests). So early on during fetch we'd figure out the referrer and then pass it through CSP for a policy check.
Comment 6 Anne 2014-06-13 09:45:51 UTC
This was improved as part of https://github.com/whatwg/fetch/commit/35b2c8b42797e1b2bc8e97f204aaf7c618599202 and fixed in bug 26058.