1 | Proposed Content-Security-Policy directive: "restrict-referrer-leakage" |
---|
2 | |
---|
3 | Specification text for https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html : |
---|
4 | |
---|
5 | 3.4.2 SecurityPolicy |
---|
6 | |
---|
7 | [add to SecurityPolicy IDL interface keeping methods in alphabetical order] |
---|
8 | |
---|
9 | bool allowsReferrerLeakageTo (DOMString url); |
---|
10 | |
---|
11 | 3.4.2.2 Methods |
---|
12 | |
---|
13 | [insert keeping method descriptions in alphabetical order] |
---|
14 | |
---|
15 | allowsReferrerLeakageTo |
---|
16 | Returns the logical and of whether the provided url _matches_ the _allowed referrer recipients_ |
---|
17 | of each of the _active CSP policies_. |
---|
18 | |
---|
19 | Parameter Type Nullable Optional Description |
---|
20 | url DOMString x x |
---|
21 | |
---|
22 | No exceptions. |
---|
23 | Return type: bool |
---|
24 | |
---|
25 | Note: the name 'allowsReferrerLeakageTo' does not have the same spelling error as the Referer |
---|
26 | HTTP header [HTTP11]. |
---|
27 | |
---|
28 | [insert section before current 4.15 report-uri] |
---|
29 | |
---|
30 | 4.15 restrict-referrer-leakage (Experimental) |
---|
31 | |
---|
32 | The restrict-referrer-leakage directive restricts which URIs may receive HTTP Referer (sic) |
---|
33 | [HTTP11] headers, or equivalent for other protocols, containing the URI of resources to which |
---|
34 | the policy applies. |
---|
35 | |
---|
36 | directive-name = "restrict-referrer-leakage" |
---|
37 | directive-value = source-list |
---|
38 | |
---|
39 | The term *allowed referrer recipients* refers to the result of _parsing the restrict-referrer-leakage |
---|
40 | directive's value as a source list_ if the policy contains an explicit restrict-referrer-leakage, or |
---|
41 | otherwise to the _default sources_. |
---|
42 | |
---|
43 | When a user agent is to _fetch a resource or URL_ as described in [HTML5] section 2.7.2 Processing model |
---|
44 | (including as part of a _preflight request_ [CORS], _cross-origin request_ [CORS], _XMLHttpRequest_ [XHR], |
---|
45 | etc.) then the fetch is a *no-referrer fetch* if: |
---|
46 | |
---|
47 | - the referrer at the "clean referrer" step of that algorithm is a _Document_ or _URL_ to which |
---|
48 | this policy applies; and |
---|
49 | - the URI to be fetched does not match the _allowed referrer recipients_. |
---|
50 | |
---|
51 | In any no-referrer fetch, at the "clean referrer" step of the fetch algorithm, the referrer MUST |
---|
52 | be replaced with the empty string. The effect is to ensure that the HTTP Referer header (or equivalent |
---|
53 | for other protocols) is omitted, regardless of the value it would have but for this policy. |
---|
54 | |
---|
55 | Any no-referrer fetch MUST be treated as a request from a "privacy-sensitive" context. [ORIGIN] |
---|
56 | |
---|
57 | If a _Document_ is created from a no-referrer fetch, its _referrer attribute_ SHALL be the empty |
---|
58 | string. |
---|
59 | |
---|
60 | Whenever a new _auxiliary browsing context_ [HTML5] is created, if its opener browsing context |
---|
61 | would be a context to which this policy applies, the getter of the opener IDL attribute on the |
---|
62 | Window object of the new context SHALL return null (instead of the WindowProxy for the opener |
---|
63 | browsing context that it would otherwise return). |
---|
64 | |
---|
65 | Implementors of user agents are encouraged to look for other situations, including any resulting |
---|
66 | from implementation-dependent features, that might result in leakage of URIs, and restrict such |
---|
67 | leakage in a way consistent with the applicable restrict-referrer-leakage policy. This includes |
---|
68 | leakage to contexts that are not clearly associated with an URI that can be matched against the |
---|
69 | allowed referrer recipients, unless the applicable policy allows transmission of the referrer to |
---|
70 | all URIs. |
---|
71 | |
---|
72 | Note: |
---|
73 | The name restrict-referrer-leakage does not have the same spelling error as the Referer header. |
---|
74 | |
---|
75 | Note: |
---|
76 | This specification should not be interpreted as preventing user agents from applying other |
---|
77 | restrictions to limit referrer leakage. |
---|
78 | |
---|
79 | Non-normative note: |
---|
80 | In particular, a user agent that never sends the HTTP Referer header (or equivalent for other |
---|
81 | protocols), for which a Document's referrer attribute is always the empty string, and for |
---|
82 | which a Window's opener attribute is always null, would not be violating either the letter |
---|
83 | or the intent of this specification. This would also be consistent with [HTTP11] (which has |
---|
84 | no normative requirement to send the Referer header, and suggests in its Security Considerations |
---|
85 | section to provide a convenient interface for users to disable sending it), and [HTML5] (which |
---|
86 | also allows user agents to be configured not to report referrers). |
---|
87 | |
---|
88 | Non-normative note: |
---|
89 | The effect of this directive with an empty set of allowed referrer recipients includes the |
---|
90 | effect of treating all links from the affected documents as having the _noreferrer link type_ |
---|
91 | [HTML5]. However, this directive: |
---|
92 | - applies to all requests, rather than only to requests made as a result of following links |
---|
93 | defined by an HTML 'a' or 'area' element; |
---|
94 | - does not require rewriting links to have the noreferrer type; |
---|
95 | - enables the set of allowed referrer recipients to be controlled, subject to any other |
---|
96 | user-agent-dependent restrictions as mentioned above; |
---|
97 | - is resistant to content injection attacks (at least in the case where the |
---|
98 | Content-Security-Policy is specified by HTTP header). |
---|