From faec3a50ea181f322ab9819975e285ced34a0308 Mon Sep 17 00:00:00 2001
From: Jochen Eisinger <jochen@chromium.org>
Date: Fri, 19 Feb 2016 12:49:41 +0100
Subject: [PATCH] Never send a referrer with hyperlink auditing pings

For same-origin pings, a ping request with a referrer might be
mistaken as a trustable POST. We already don't include a referrer
if the document containing the anchor is secure. Stripping the
referrer for insecure, cross-origin pings makes the whole
algorithm easier.

PR: https://github.com/whatwg/html/pull/712
---
 source | 27 ++++++++++-----------------
 1 file changed, 10 insertions(+), 17 deletions(-)

diff --git a/source b/source
index bcbcc5bf582..ee6aa94cf6f 100644
--- a/source
+++ b/source
@@ -21133,7 +21133,8 @@ interface <dfn>HTMLHyperlinkElementUtils</dfn> {
    the <code>Document</code> containing the <span>hyperlink</span>, <span
    data-x="concept-request-destination">destination</span> is "<code data-x="">subresource</code>",
    <span data-x="concept-request-credentials-mode">credentials mode</span> is "<code
-   data-x="">include</code>", and whose <span>use-URL-credentials flag</span> is set.</p></li>
+   data-x="">include</code>", <span data-x="concept-request-referrer">referrer</span> is "<code
+   data-x="">no-referrer</code>", and whose <span>use-URL-credentials flag</span> is set.</p></li>
 
    <li>
     <p>Let <var>target URL</var> is the <span>resulting URL string</span> obtained from <span
@@ -21148,32 +21149,24 @@ interface <dfn>HTMLHyperlinkElementUtils</dfn> {
      <dd><var>request</var> must include a `<code data-x="http-ping-from">Ping-From</code>` header
      with, as its value, the <span data-x="the document's address">address</span> of the document
      containing the hyperlink, and a `<code data-x="http-ping-to">Ping-To</code>` HTTP header with,
-     as its value, the <var>target URL</var>. <var>request</var>'s <span
-     data-x="concept-request-referrer">referrer</span> must be "<code data-x="">no-referrer</code>".
-     <!-- because otherwise it would look like a trustable same-origin POST --></dd>
+     as its value, the <var>target URL</var>.
+     </dd>
 
      <dt>Otherwise, if the origins are different, but the document containing the hyperlink being
      audited was not retrieved over an encrypted connection</dt>
 
-     <dd><var>request</var>'s <span data-x="concept-request-referrer">referrer</span> must be the
-     <span data-x="the document's address">address</span> of the document containing the hyperlink.
-     <var>request</var> must include a `<code data-x="http-ping-from">Ping-From</code>` header with
-     the same value, and a `<code data-x="http-ping-to">Ping-To</code>` HTTP header with, as its
-     value, <var>target URL</var>.</dd>
+     <dd>The <var>request</var> must include a `<code data-x="http-ping-from">Ping-From</code>`
+     header with the <span data-x="the document's address">address</span> of the document containing
+     the hyperlink as its value, and a `<code data-x="http-ping-to">Ping-To</code>` HTTP header
+     with, as its value, <var>target URL</var>.</dd>
 
      <dt>Otherwise, the origins are different and the document containing the hyperlink being
      audited was retrieved over an encrypted connection</dt>
 
      <dd><var>request</var> must include a `<code data-x="http-ping-to">Ping-To</code>` HTTP header
-     with, as its value, <var>target URL</var>. <var>request</var>'s <span
-     data-x="concept-request-referrer">referrer</span> must be "<code data-x="">no-referrer</code>".
-     <span class="note"><var>request</var> does not include a `<code
-     data-x="http-ping-from">Ping-From</code>` header.</span></dd>
+     with, as its value, <var>target URL</var>.  <span class="note"><var>request</var> does not
+     include a `<code data-x="http-ping-from">Ping-From</code>` header.</span></dd>
     </dl>
-
-    <p class="&#x0058;&#x0058;&#x0058;">These headers should be <a
-    href="/w3c/webappsec/issues/469">subject to <cite>Referrer
-    Policy</cite></a>.</p>
    </li>
 
    <!--FETCH--><li><p><span data-x="concept-fetch">Fetch</span> <var>request</var>.</p></li>