Bug 97233

Summary: CSP reports should send an empty 'referrer' rather than nothing.
Product: WebKit Reporter: Mike West <mkwst>
Component: WebCore Misc.Assignee: Mike West <mkwst>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, webkit.review.bot
Priority: P2 Keywords: WebExposed
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Mike West 2012-09-20 10:32:14 PDT
If no referrer exists, we don't send a 'referrer' attribute at all. It would be friendlier to send an explicitly empty referrer.
Comment 1 Mike West 2012-09-20 10:45:51 PDT
Created attachment 164942 [details]
Patch
Comment 2 Mike West 2012-09-20 10:47:15 PDT
At least one developer found this surprising. *shrug* It's a trivial change, and it's arguably a more explicit description of what's going on.

WDYT, Adam?
Comment 3 Mike West 2012-09-20 10:47:44 PDT
https://twitter.com/adam_baldwin/status/248836426131701760 <-- the thread.
Comment 4 Adam Barth 2012-09-20 11:14:21 PDT
Comment on attachment 164942 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=164942&action=review

> Source/WebCore/ChangeLog:11
> +        Currently, if a protected resource doesn't have a referrer, then any
> +        Content Security Policy violations send a report that doesn't contain
> +        a referrer attribute. It's arguably friendlier to developers to include
> +        an explicitly empty attribute.

Yeah, it's also what the spec says to do.  :)
Comment 5 Mike West 2012-09-20 11:20:16 PDT
(In reply to comment #4)
> (From update of attachment 164942 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=164942&action=review
> 
> > Source/WebCore/ChangeLog:11
> > +        Currently, if a protected resource doesn't have a referrer, then any
> > +        Content Security Policy violations send a report that doesn't contain
> > +        a referrer attribute. It's arguably friendlier to developers to include
> > +        an explicitly empty attribute.
> 
> Yeah, it's also what the spec says to do.  :)

Specs... ha! Like anyone reads those...

Thanks! :)
Comment 6 WebKit Review Bot 2012-09-20 11:52:10 PDT
Comment on attachment 164942 [details]
Patch

Clearing flags on attachment: 164942

Committed r129150: <http://trac.webkit.org/changeset/129150>
Comment 7 WebKit Review Bot 2012-09-20 11:52:13 PDT
All reviewed patches have been landed.  Closing bug.