Pass along correct referrers when fetching scripts

Fixes #1111, although the problem was more widespread than indicated there. Previously, *only* classic workers had their referrer set correctly. This updates the algorithms to: - Pass the document's address as the referrer for <script>-initiated fetches (both classic and module) - Pass the document's address as the referrer for worker-creation fetches (both classic and module) - Pass the importing module's address as the referrer for import-initiated module script fetches
whatwg · Apr 25, 2016 · f21e119 · f21e119
1 parent d8f4b79
commit f21e119
Showing 1 changed file with 41 additions and 34 deletions.
diff --git a/source b/source
@@ -58804,15 +58804,18 @@ o............A....e
      event</span> named <code data-x="event-error">error</code> at the element, and abort these
      steps. Otherwise, let <var>url</var> be the <span>resulting URL record</span>.</p></li>
 
+     <li><p>Let <var>referrer</var> be the element's <span>node document</span>'s <span data-x="the
+     document's address">address</span>.</p></li>
+
      <li>
       <p>Switch on <span data-x="concept-script-type">the script's type</span>:</p>
 
       <dl class="switch">
        <dt>"<code data-x="">classic</code>"</dt>
        <dd>
-        <p><span>Fetch a classic script</span> given <var>url</var>, <var>CORS setting</var>,
-        <var>cryptographic nonce</var>, <var>parser state</var>, <var>settings</var>, and
-        <var>encoding</var>.</p>
+        <p><span>Fetch a classic script</span> given <var>url</var>, <var>referrer</var>, <var>CORS
+        setting</var>, <var>cryptographic nonce</var>, <var>parser state</var>, <var>settings</var>,
+        and <var>encoding</var>.</p>
        </dd>
 
        <dt>"<code data-x="">module</code>"</dt>
@@ -58834,9 +58837,9 @@ o............A....e
           </dl>
          </li>
 
-         <li><p><span>Fetch a module script tree</span> given <var>url</var>, <var>credentials
-         mode</var>, <var>cryptographic nonce</var>, <var>parser state</var>, "<code
-         data-x="">script</code>", and <var>settings</var>.</p></li>
+         <li><p><span>Fetch a module script tree</span> given <var>url</var>, <var>referrer</var>,
+         <var>credentials mode</var>, <var>cryptographic nonce</var>, <var>parser state</var>,
+         "<code data-x="">script</code>", and <var>settings</var>.</p></li>
         </ol>
        </dd>
       </dl>
@@ -86957,11 +86960,11 @@ interface <dfn>NavigatorOnLine</dfn> {
   <p class="note"><cite>Service Workers</cite> is an example of a specification that runs these
   algorithms with its own options for the hooks. <ref spec=SW></p>
 
-  <p>To <dfn>fetch a classic script</dfn> for a <code>script</code> element <var>element</var>,
-  given a <var>url</var>, a <var>CORS setting</var>, a <var>cryptographic nonce</var>, a <var>parser
-  state</var>, a <var>settings object</var>, and a <var>character encoding</var>, run these steps.
-  The algorithm will asynchronously complete with either null (on failure) or a new <span>classic
-  script</span> (on success).</p>
+  <p>To <dfn>fetch a classic script</dfn> given a <var>url</var>, a <var>referrer</var>, a <var>CORS
+  setting</var>, a <var>cryptographic nonce</var>, a <var>parser state</var>, a <var>settings
+  object</var>, and a <var>character encoding</var>, run these steps. The algorithm will
+  asynchronously complete with either null (on failure) or a new <span>classic script</span> (on
+  success).</p>
 
   <ol>
    <li><p>Let <var>request</var> be the result of <span data-x="create a potential-CORS
@@ -86971,10 +86974,11 @@ interface <dfn>NavigatorOnLine</dfn> {
    <li><p>Set <var>request</var>'s <span data-x="concept-request-client">client</span> to
    <var>settings object</var>, its <span data-x="concept-request-type">type</span> to "<code
    data-x="">script</code>", its <span data-x="concept-request-destination">destination</span>
-   to "<code data-x="">script</code>", its <span
-   data-x="concept-request-nonce-metadata">cryptographic nonce metadata</span> to
-   <var>cryptographic nonce</var>, and its <span data-x="concept-request-parser-metadata">parser
-   metadata</span> to <var>parser state</var>.</p></li>
+   to "<code data-x="">script</code>", its <span data-x="concept-request-referrer">referrer</span>
+   to <var>referrer</var>, its <span data-x="concept-request-nonce-metadata">cryptographic nonce
+   metadata</span> to <var>cryptographic nonce</var>, and its <span
+   data-x="concept-request-parser-metadata">parser metadata</span> to <var>parser
+   state</var>.</p></li>
 
    <li><p>If the caller specified custom steps to <span data-x="fetching-scripts-set-up-request">set
    up the request</span>, perform them on <var>request</var>.</p></li>
@@ -87073,19 +87077,19 @@ interface <dfn>NavigatorOnLine</dfn> {
    <li>Asynchronously complete this algorithm with <var>script</var>.</li>
   </ol>
 
-  <p>To <dfn>fetch a module script tree</dfn> given a <var>url</var>, a <var>credentials mode</var>,
-  a <var>cryptographic nonce</var>, a <var>parser state</var>, a <var>destination</var>, a
-  <var>settings object</var>, and an optional <var>ancestor list</var>, run these steps. The
-  algorithm will asynchronously complete with either null (on failure) or a <span>module
-  script</span> (on success).</p>
+  <p>To <dfn>fetch a module script tree</dfn> given a <var>url</var>, a <var>referrer</var>, a
+  <var>credentials mode</var>, a <var>cryptographic nonce</var>, a <var>parser state</var>, a
+  <var>destination</var>, a <var>settings object</var>, and an optional <var>ancestor list</var>,
+  run these steps. The algorithm will asynchronously complete with either null (on failure) or a
+  <span>module script</span> (on success).</p>
 
   <ol>
    <li><p>If <var>ancestor list</var> is not given, let it be an empty list.</p></li>
 
-   <li><p><span>Fetch a single module script</span> given <var>url</var>, <var>credentials
-   mode</var>, <var>cryptographic nonce</var>, <var>parser state</var>, <var>destination</var>, and
-   <var>settings object</var>. If the caller of this algorithm specified custom <span
-   data-x="fetching-scripts-set-up-request">set up the request</span> or <span
+   <li><p><span>Fetch a single module script</span> given <var>url</var>, <var>referrer</var>,
+   <var>credentials mode</var>, <var>cryptographic nonce</var>, <var>parser state</var>,
+   <var>destination</var>, and <var>settings object</var>. If the caller of this algorithm specified
+   custom <span data-x="fetching-scripts-set-up-request">set up the request</span> or <span
    data-x="fetching-scripts-process-response">process the response</span> steps, pass those along
    while <span data-x="fetch a single module script">fetching a single module script</span>.</p>
 
@@ -87153,7 +87157,8 @@ interface <dfn>NavigatorOnLine</dfn> {
 
    <li>
     <p>For each <var>url</var> in <var>urls</var>, <span>fetch a module script tree</span> given
-    <var>url</var>, <var>module script</var>'s <span
+    <var>url</var>, <var>module script</var>'s <span data-x="concept-module-script-base-url">base
+    URL</span>, <var>module script</var>'s <span
     data-x="concept-module-script-credentials-mode">credentials mode</span>, <var>module
     script</var>'s <span data-x="concept-module-script-nonce">cryptographic nonce</span>,
     <var>module script</var>'s <span data-x="concept-module-script-parser">parser state</span>,
@@ -87175,10 +87180,11 @@ interface <dfn>NavigatorOnLine</dfn> {
    </li>
   </ol>
 
-  <p>To <dfn>fetch a single module script</dfn>, given a <var>url</var>, a <var>credentials
-  mode</var>, a <var>cryptographic nonce</var>, a <var>parser state</var>, a <var>destination</var>,
-  and a <var>settings object</var>, run these steps. The algorithm will asynchronously complete with
-  either null (on failure) or a <span>module script</span> (on success).</p>
+  <p>To <dfn>fetch a single module script</dfn>, given a <var>url</var>, a <var>referrer</var>, a
+  <var>credentials mode</var>, a <var>cryptographic nonce</var>, a <var>parser state</var>, a
+  <var>destination</var>, and a <var>settings object</var>, run these steps. The algorithm will
+  asynchronously complete with either null (on failure) or a <span>module script</span> (on
+  success).</p>
 
   <ol>
    <li><p>Let <var>module map</var> be <var>settings</var>'s <span>module map</span>.</p></li>
@@ -87196,13 +87202,14 @@ interface <dfn>NavigatorOnLine</dfn> {
    <li><p>Let <var>request</var> be a new <span data-x="concept-request">request</span> whose
    <span data-x="concept-request-url">url</span> is <var>url</var>, <span
    data-x="concept-request-destination">destination</span> is <var>destination</var>, <span
+   data-x="concept-request-referrer">referrer</span> is <var>referrer</var>, <span
    data-x="concept-request-type">type</span> is "<code data-x="">script</code>", <span
    data-x="concept-request-mode">mode</span> is "<code data-x="">cors</code>", <span
    data-x="concept-request-credentials-mode">credentials mode</span> is <var>credentials
    mode</var>, <span data-x="concept-request-nonce-metadata">cryptographic nonce metadata</span> is
    <var>cryptographic nonce</var>, <span data-x="concept-request-parser-metadata">parser
-   metadata</span> is <var>parser state</var>and <span data-x="concept-request-client">client</span>
-   is <var>settings object</var>.</p></li>
+   metadata</span> is <var>parser state</var>, and <span
+   data-x="concept-request-client">client</span> is <var>settings object</var>.</p></li>
 
    <li><p>If the caller specified custom steps to <span data-x="fetching-scripts-set-up-request">set
    up the request</span>, perform them on <var>request</var>.</p></li>
@@ -96613,9 +96620,9 @@ interface <dfn>WorkerGlobalScope</dfn> : <span>EventTarget</span> {
      <var>settings object</var>, and <var>destination</var>.</dd>
 
      <dt>"<code data-x="">module</code>"</dt>
-     <dd><span>Fetch a module script tree</span> given <var>url</var>, the value of the <code
-     data-x="">credentials</code> member of <var>options</var>, the empty string (as no
-     <var>cryptographic nonce</var> is present for workers), "<code data-x="">not
+     <dd><span>Fetch a module script tree</span> given <var>url</var>, <var>referrer</var>, the
+     value of the <code data-x="">credentials</code> member of <var>options</var>, the empty string
+     (as no <var>cryptographic nonce</var> is present for workers), "<code data-x="">not
      parser-inserted</code>", <var>destination</var>, and <var>settings object</var>.</dd>
     </dl>