RESOLVED DUPLICATE of bug 179054 185732
Incorrect referrer for font-face 
https://bugs.webkit.org/show_bug.cgi?id=185732
Summary Incorrect referrer for font-face
Bernardo
Reported 2018-05-17 09:09:13 PDT
How to reproduce: Scenario, request a page that have a CSS asset hosted by a CDN, this asset contain a few `font-face` declarations. When requesting those fonts I would expect the `Referer` header to have the CDN domain in it, not my original webpage. Example: 1. Page `example-a.com` 2. CDN `my-cdn.com` which hosts `myasset.css` 3. When `myasset.css` triggers a font request I would expect the `Referer` header to contain `my-cdn.com` instead of `example-a.com`
Attachments
Firefox (504.46 KB, image/png)
2018-05-24 09:01 PDT, Andy Estes 		no flags
Details
Chrome (430.81 KB, image/png)
2018-05-24 09:01 PDT, Andy Estes 		no flags
Details
iOS Safari (418.18 KB, image/png)
2018-05-24 09:01 PDT, Andy Estes 		no flags
Details
macOS Safari (405.24 KB, image/png)
2018-05-24 09:01 PDT, Andy Estes 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2018-05-17 17:50:24 PDT
<rdar://problem/40351764>
Andy Estes
Comment 2 2018-05-24 08:59:57 PDT
David from Shopify provided me a test case for this in email: """ The easiest way to replicate this is to load a page with a stylesheet that loads a font. For instance, loading https://output.jsbin.com/hewivoluqe and looking at the font request in the network inspector shows - The CSS file's location being used as the Referer in Chrome and Firefox - The web page's location being used as the Referer in Safari (both desktop and mobile) I've attached screenshots highlighting this behaviour. """
Andy Estes
Comment 3 2018-05-24 09:01:02 PDT
Created attachment 341190 [details] Firefox
Andy Estes
Comment 4 2018-05-24 09:01:15 PDT
Created attachment 341191 [details] Chrome
Andy Estes
Comment 5 2018-05-24 09:01:34 PDT
Created attachment 341192 [details] iOS Safari
Andy Estes
Comment 6 2018-05-24 09:01:45 PDT
Created attachment 341193 [details] macOS Safari
youenn fablet
Comment 7 2018-05-25 08:36:39 PDT
Related spec is at https://www.w3.org/TR/css-fonts-3/#font-fetching-requirements We might indeed need to explicitly set the referrer before calling CachedResourceLoader::requestFont.
Myles C. Maxfield
Comment 8 2018-05-25 18:25:11 PDT
I don't think we're convinced that the spec states that we are wrong. https://w3c.github.io/webappsec-referrer-policy/ https://tools.ietf.org/html/rfc7231#section-5.5.2
Alex Christensen
Comment 9 2018-05-29 10:33:27 PDT
The css fonts spec says this: "When fetching, user agents must use "Anonymous" mode, set the referrer source to the stylesheet's URL and set the origin to the URL of the containing document." I'm wondering why the referrer is explicitly set in this spec to mean something different than other referrers.
youenn fablet
Comment 10 2018-05-29 10:44:36 PDT
> I'm wondering why the referrer is explicitly set in this spec to mean > something different than other referrers. Agreed, knowing the rationale would help either fixing our implementation or fixing the spec. The spec is using old wording but the intent is pretty clear to me. The stylesheet URL is used as referrer and can be further tweaked by the environment referrer policy as defined in https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer
Simon Fraser (smfr)
Comment 11 2018-05-29 11:20:17 PDT
git blame the CSS spec and see who wrote it.
Sam Sneddon [:gsnedders]
Comment 12 2021-07-14 02:31:23 PDT
*** This bug has been marked as a duplicate of bug 179054 ***
Note You need to log in before you can comment on or make changes to this bug.