pierrelf.com
Phase 14: Security + Storage#
Implement the Referrer Policy specification (W3C) to control how much referrer information is sent with requests.
Requirements#
Policy parsing#
- Parse the Referrer-Policy HTTP response header
- Parse the referrerpolicy HTML attribute on a, area, img, iframe, link, script elements
- Parse the referrer meta tag content attribute
- Supported policies: no-referrer, no-referrer-when-downgrade (default), origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url
Referrer computation#
- Given a request URL, a document URL, and a referrer policy, compute the correct Referer header value
- Strip the referrer URL appropriately: full URL, origin-only, or empty depending on the policy
- Handle scheme downgrades (HTTPS to HTTP) correctly for -when-downgrade and strict- policies
- Strip fragment and userinfo from referrer URLs before sending
Integration points#
- crates/net/src/http.rs: set the Referer header on outgoing requests based on computed policy
- crates/browser/src/loader.rs: track the active referrer policy per document and pass it to the HTTP client
- crates/html: parse referrerpolicy attributes and meta referrer tags during tree building
Acceptance Criteria#
- All 8 referrer policies are correctly implemented
- HTTPS-to-HTTP downgrade strips or omits referrer for strict/downgrade policies
- Same-origin vs cross-origin distinction is handled correctly for origin-when-cross-origin and same-origin policies
- referrerpolicy attribute on HTML elements overrides the document-level policy
- Fragment and userinfo are stripped from referrer URLs
- cargo clippy --workspace -- -D warnings passes
- cargo test --workspace passes