[whatwg] Feedback on Meta referrer

David Bruant bruant.d at gmail.com
Sat Dec 31 09:44:21 PST 2011


My feedback regards the current version of the wiki page [1].

I'm curious about why a Referer header is always sent. Specifically for
"never", an empty string is sent. Why not just not send the header at
all? That's what is specified for @rel=noreferrer [2] for instance:
"If a user agent follows a link defined by an a or area element that has
the noreferrer keyword, the user agent must not include a Referer (sic)
HTTP header (or equivalent for other protocols) in the request."
It is not said that the empty string is sent, but that the user agent
must not include a Referer header at all.
Moreover, I don't really know what a server would do more with an empty
Referer header as opposed to no header at all, so I don't see a use for
an empty referer.

Another concern is what should happen if a request is sent before
finding a meta referrer. For instance:
    <link rel="stylesheet" href="a.css">
    <meta name="referrer" content="never">
In what conditions should the request for the css file be done? Ignore
the meta tag? Wait until the end of <head> in case there would be a meta

"TODO: This algorithm causes the most recently added meta element to
control the referrer-policy. Should we support changing the policy by
setting the content attribute? "
=> I think that allowing to change the policy by setting the content
attribute would be a good idea, but a question can arise regarding what
happens if there are several such <meta> elements in the document.

"How does this interact with rel=noreferrer? Presumably rel=noreferrer
should override whatever global setting the user agent gets from the
meta element. "
=> I agree that the specific should override the global.

Also, it seems to me that 2 different concerns are implicitely
addressed: "when should the referer header be sent?" and "what should be
sent in the referer header?" It could make sense to split up the
proposal in 2 keywords.
One controling when the header is sent:
* never
* same origin (send the referer header if the target URL and document
URLs have the same origin)
* defaut (secure referer & not secure fetched)
* always
* (...)
another controling what is sent:
* empty string (if there is really a use case for this)
* origin-only
* fragmentless URL
* (...)

Current policies can be expressed as the combinaisons of the above:
* "never" => default + empty string
* "default" => default + fragmentless URL
* "origin" => default + origin-only
* "always" => always + fragmentless URL


[1] http://wiki.whatwg.org/index.php?title=Meta_referrer&oldid=7711

More information about the whatwg mailing list