This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 26830 - Referrer for window.open() navigation should be based on entry script's responsible document, not entry script's responsible document
Summary: Referrer for window.open() navigation should be based on entry script's respo...
Status: RESOLVED FIXED
Alias: None
Product: WHATWG
Classification: Unclassified
Component: HTML (show other bugs)
Version: unspecified
Hardware: Other other
: P3 normal
Target Milestone: Unsorted
Assignee: Ian 'Hixie' Hickson
QA Contact: contributor
URL:
Whiteboard:
Keywords:
Depends on: fetch
Blocks:
  Show dependency treegraph
 
Reported: 2014-09-17 05:35 UTC by Ian 'Hixie' Hickson
Modified: 2014-09-24 22:21 UTC (History)
4 users (show)

See Also:


Attachments

Description Ian 'Hixie' Hickson 2014-09-17 05:35:14 UTC
Based on this test:
   http://damowmow.com/playground/demos/settings-objects/001/a/a.html
...it looks like the referrer needs to be based on the entry script settings object's referrer source, not the source browsing context's document as the HTML spec says now.

Anne, Mike: Should I still be defining this in the HTML spec, or is this something that should be defined in Fetch or in the Referrer Policy spec?
Comment 1 Ian 'Hixie' Hickson 2014-09-17 05:39:37 UTC
Actually this might just be specific to window.open(). When I use location.assign(), it works as you'd expect (using the incumbent settings object's responsible document).

   http://damowmow.com/playground/demos/settings-objects/002/a/a.html

So maybe the bug here is just that window.open() should use the entry settings object's responsible browsing context as the source browsing context.
Comment 2 Ian 'Hixie' Hickson 2014-09-17 05:40:36 UTC
(...in Chrome. In Firefox, 002 actually uses the incumbent settings object's API base URL for the URL resolution too, which is different.)
Comment 3 Anne 2014-09-17 10:47:22 UTC
Referrer Policy takes its cues from Fetch. Fetch takes its cues from the invoking party, which could set request's referrer to a URL.

Fetch also takes a client, which request's referrer would default to. Currently that is a JavaScript global environment, but you proposed making that a setting objects of sorts, that would offer access to an event loop, global object (to type check, e.g. ServiceWorkerGlobalScope vs Window), origin, and referrer and such (bug 24080 comment 9).

So the answer the question in comment 0: HTML needs to make sure it passes the correct data to Fetch. It's not clear to me how Fetch could make this decision.
Comment 4 Ian 'Hixie' Hickson 2014-09-17 16:10:53 UTC
Ok. Sounds good. In that case, I need to make sure window.open() is correctly set up.

(I filed bug 26836 on the settings objects stuff BTW.)
Comment 5 contributor 2014-09-24 22:21:27 UTC
Checked in as WHATWG revision r8816.
Check-in comment: Make window.open() match browsers better
https://html5.org/tools/web-apps-tracker?from=8815&to=8816