2015-10-03

Spec author "fixes mistake", wastes everyone's man-year

I came across the Referrer Policy proposal, which is already implemented in Chrome and Firefox, and allows sites to provide more privacy for their users by restricting referrer information sent to other websites when users follow links.

For example, with default browser behavior, if you are browsing the following page:
https://www.reddit.com/r/bigdicklovers/
... then if you click any links on that page which take you to a third-party site, for example:
https://www.employer.bigfirm/
... your browser will kindly send to that site the full address of the "Big Dicks" page you came from.

This has some unfortunate privacy implications, so finally, browsers (except Microsoft's, of course) are allowing sites to exert more control over what referrer information is sent with outgoing links.

One of the nice new policies a site can choose is origin-when-cross-origin. Or is it? In 2014, the First Public Working Draft of the spec made a "mistake", and defined this policy without the third dash. In 2015, this was noticed, and the spec author decided to "fix" it, adding a third dash in later Editor's Drafts.

This has resulted in a situation where Firefox versions 36 - 40 implement the previous spelling (two dashes), and versions 41+ implement the new spelling (three dashes). As of today, Mozilla Developer's Network still documents the old, two-dash spelling. FxSiteCompat (not affiliated with Mozilla) documents the fix, and states "The legacy wrong value will no longer be supported in the future."

Meanwhile, announcements like this one continue to link to the old version of the spec, and the old version is still what you will find if you look up the spec on W3.org. If you want to use this feature, you'll spend an hour figuring it out. And if you don't, you are likely to use the old version instead of the new one – possibly leading to your referrer policy breaking in the future.

Ahh – the great results of "fixing" things that already shipped, and perhaps were not even broken. :-)

No comments: