Intent to implement: Support Referrer Policy for <script> elements

Discussion:

Thomas Nguyen

2018-10-31 14:03:32 UTC

Summary: This implementation adds Referrer Policy support to the <script>
element, so it is technically possible to speculatively load script with a
referrerpolicy attribute.

Bug: <https://bugzilla.mozilla.org/show_bug.cgi?id=1330487>
https://bugzilla.mozilla.org/show_bug.cgi?id=1460920

Link to standard: https://github.com/w3c/webappsec-referrer-policy/issues/96

Platform coverage: All platforms.

Estimated or target release: 66

Is this feature enabled by default in sandboxed iframes? Yes.

DevTools bug: There is already a general DevTools bug which allows to
display referrer policy for a given request, see:
https://bugzilla.mozilla.org/show_bug.cgi?id=1496742

Do other browser engines implement this? Chromium, see:
https://www.chromestatus.com/feature/5227651627220992

Is this feature restricted to secure contexts? No.

Web-platform-tests: Yes; currently disabled in our codebase

https://searchfox.org/mozilla-central/search?q=script-tag%2Finsecure-protocol.keep-origin-redirect.http.html&path=

--
Best regards,

=====================================================
Thomas Nguyen
IRC : ***@irc.mozilla.com
Slack: tnguyen
Email: ***@mozilla.com
=====================================================

James Graham

2018-11-01 10:27:59 UTC

Permalink

Post by Thomas Nguyen
Summary: This implementation adds Referrer Policy support to the <script>
element, so it is technically possible to speculatively load script with a
referrerpolicy attribute.
Web-platform-tests: Yes; currently disabled in our codebase
https://searchfox.org/mozilla-central/search?q=script-tag%2Finsecure-protocol.keep-origin-redirect.http.html&path=

I can't see from the search where the tests are disabled, but I do
remember there were some problems with those referrer policy tests in
the past, so maybe I am overlooking something. In any case I presume we
will ensure that they are working as part of the implementation work?

Do we have any idea of whether the existing tests provide sufficient
coverage of the feature?

Thomas Nguyen

2018-11-01 11:03:10 UTC

Permalink

The link
https://searchfox.org/mozilla-central/search?q=script-tag%2Finsecure-protocol.keep-origin-redirect.http.html&path=
is not covered all the tests. Thanks James for pointing it out.
In fact, we have synced all script-tag tests which were added in
https://github.com/web-platform-tests/wpt/pull/10976/commits/78a3837eb9cc4fb1bd55f21a9823eda82694d3d2
The tests should provide sufficient coverage of the feature. All the tests
are disabled now, for example:
https://searchfox.org/mozilla-central/source/testing/web-platform/meta/referrer-policy/no-referrer/attr-referrer/cross-origin/http-http/script-tag
https://searchfox.org/mozilla-central/source/testing/web-platform/tests/referrer-policy/no-referrer/attr-referrer/cross-origin/http-http/script-tag
https://searchfox.org/mozilla-central/source/testing/web-platform/meta/referrer-policy/origin/attr-referrer/cross-origin/http-http/script-tag
https://searchfox.org/mozilla-central/source/testing/web-platform/meta/referrer-policy/origin/attr-referrer/same-origin/http-http/script-tag

Post by Thomas Nguyen

Post by Thomas Nguyen
Summary: This implementation adds Referrer Policy support to the <script>
element, so it is technically possible to speculatively load script with

Post by Thomas Nguyen
referrerpolicy attribute.
Web-platform-tests: Yes; currently disabled in our codebase

https://searchfox.org/mozilla-central/search?q=script-tag%2Finsecure-protocol.keep-origin-redirect.http.html&path=
I can't see from the search where the tests are disabled, but I do
remember there were some problems with those referrer policy tests in
the past, so maybe I am overlooking something. In any case I presume we
will ensure that they are working as part of the implementation work?
Do we have any idea of whether the existing tests provide sufficient
coverage of the feature?
_______________________________________________
dev-platform mailing list
https://lists.mozilla.org/listinfo/dev-platform

James Graham

2018-11-01 11:24:45 UTC

Permalink

Post by Thomas Nguyen
The link
https://searchfox.org/mozilla-central/search?q=script-tag%2Finsecure-protocol.keep-origin-redirect.http.html&path=
is not covered all the tests. Thanks James for pointing it out.
In fact, we have synced all script-tag tests which were added in
https://github.com/web-platform-tests/wpt/pull/10976/commits/78a3837eb9cc4fb1bd55f21a9823eda82694d3d2
The tests should provide sufficient coverage of the feature. All the

It looks like the tests are marked as expected: FAIL rather than
disabled, and checking treeherder I'm finding results so I think they
are indeed already running (sorry if this is a bit pedantic, I was just
making sure I understood the situation).

Thomas Nguyen

2018-11-01 15:58:11 UTC

Permalink

Oh, you are right, sorry that I used confusing words. After implementation,
we expect they are all passed as OK, not FAIL.

Post by Thomas Nguyen

Post by Thomas Nguyen
The link

https://searchfox.org/mozilla-central/search?q=script-tag%2Finsecure-protocol.keep-origin-redirect.http.html&path=

Post by Thomas Nguyen
is not covered all the tests. Thanks James for pointing it out.
In fact, we have synced all script-tag tests which were added in

https://github.com/web-platform-tests/wpt/pull/10976/commits/78a3837eb9cc4fb1bd55f21a9823eda82694d3d2

Post by Thomas Nguyen
The tests should provide sufficient coverage of the feature. All the