Referrer policy (#954)

* Added note that removes the restriction of <style> in <head> but
pointing out that use in the body can trigger unwanted side
effects. See Issue #544.

* Added style to the set of flow content elements.

* Partial commit for adding referrerpolicy.

* Hard set for non-binary on the .include files, fixes merge pain.

* Added attribute to stop git treating text files as binary.

* Added referrer policy attribute for link reference resource fetch

* Ported the commits from issue #560. Next, find other commits
that this needs for completeness (attribute defs, IDL, etc.)

* Addded definition section for referrer policy

* Added a few more referrerpolicy references.

* Bulk of referrerpolicy changes, check in for backup in reality.

* Fixed up a bunch of link errors.

* Fixed a few more linking errors, fixed typo.

* Changes as per review, plus some markup cleanup.

Author: Alex Danilo

.gitattributes

@@ -12,7 +12,7 @@
 #   - Deny applying with `git apply --whitespace=error-all`.
 #   - Fix automatically with `git apply --whitespace=fix`.
 ###############################################################################
-[attr]cleantext    text eol=crlf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=4
+[attr]cleantext    text eol=crlf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=4 -binary
 
 ###############################################################################
 # DEFAULT VALUE

sections/attributes.include

@@ -600,6 +600,12 @@
       <td>Whether to allow the value to be edited by the user</td>
       <td><a>Boolean attribute</a></td>
     </tr>
+    <tr>
+     <th><code>referrerpolicy</code></th>
+     <td><{a}>; <{area}>; <{iframe}>; <{img}>; <{link}></td>
+     <td><a>Referrer policy</a> for <a>fetches</a> initiated by the element</td>
+     <td><a>Referrer policy</a></td>
+    </tr>
     <tr>
       <th><{links/rel}></th>
       <td><{a}>; <{area}>; <{link}></td>

sections/browsers.include

@@ -3944,14 +3944,17 @@
       <var>window</var>.
   4. Set the {{Document}}'s <a for="document">HTTPS state</a> to the
       [=response/HTTPS state=] of the resource used to generate the document.
-  5. Execute the <a>Initialize a <code>Document</code>'s CSP list</a> algorithm on the {{Document}}
+  5. Set the {{Document}}'s <a>referrer policy</a> to the result of
+     parsing the <a><code>Referrer-Policy</code></a> header</a> of the <a>response</a>
+     used to generate the document. [[!REFERRERPOLICY]]
+  6. Execute the <a>Initialize a <code>Document</code>'s CSP list</a> algorithm on the {{Document}}
       object and the resource used to generate the document. [[CSP3]]
-  6. Set [=the document's referrer=] to the
+  7. Set [=the document's referrer=] to the
       <em>address of the resource from which Request-URIs are obtained</em> as determined when the
       fetch algorithm obtained the resource, if that algorithm was used and determined such a value;
       otherwise, set it to the empty string.
-  7. <a>Implement the sandboxing</a> for the {{Document}}.
-  8. If the <a>active sandboxing flag set</a> of the {{Document}}'s <a>browsing context</a> or any
+  8. <a>Implement the sandboxing</a> for the {{Document}}.
+  9. If the <a>active sandboxing flag set</a> of the {{Document}}'s <a>browsing context</a> or any
       of its <a>ancestor browsing contexts</a> (if any) have the
       <a>sandboxed fullscreen browsing context flag</a> set, then skip this step.
 

sections/elements.include

@@ -29,7 +29,8 @@
          <{links/download}>;
          <{links/rel}>;
          <{links/hreflang}>;
-         <{links/type}></td>
+         <{links/type}>;
+         <{link/referrerpolicy}></td>
      <td>{{HTMLAnchorElement}}</td>
     </tr>
 
@@ -70,7 +71,8 @@
          <{links/download}>;
          <{links/rel}>;
          <{links/hreflang}>;
-         <{links/type}></td>
+         <{links/type}>;
+         <{link/referrerpolicy}></td>
      <td>{{HTMLAreaElement}}</td>
     </tr>
 
@@ -608,7 +610,8 @@
          <{iframe/sandbox}>;
          <{iframe/allowfullscreen}>;
          <{media/width}>;
-         <{media/height}></td>
+         <{media/height}>;
+         <{iframe/referrerpolicy}></td>
      <td>{{HTMLIFrameElement}}</td>
     </tr>
 
@@ -631,7 +634,8 @@
          <{img/ismap}>;
          <{img/longdesc}>;
          <{media/width}>;
-         <{media/height}></td>
+         <{media/height}>;
+         <{img/referrerpolicy}></td>
      <td>{{HTMLImageElement}}</td>
     </tr>
 
@@ -765,6 +769,7 @@
          <{link/crossorigin}>;
          <{link/rel}>;
          <{link/media}>;
+         <{link/referrerpolicy}>;
          <{link/nonce}>;
          <{link/hreflang}>;
          <{link/type}>;

sections/infrastructure.include

@@ -166,7 +166,7 @@
   A <dfn for="document" lt="inserted into|inserted into the document|inserted into a document">node
   is inserted into a document</dfn> when the <a>insertion steps</a> are invoked with it as the
   argument and it is now <a>in a document tree</a>. Analogously, a
-  <dfn for="document" lt="remove an element from a document|removed from a document|removed from">node
+  <dfn for="document" lt="remove an element from a document|removed from a document|removed from the document|removed from">node
   is removed from a document</dfn> when the <a>removing steps</a> are invoked with it as the argument
   and it is now no longer in a <a>document tree</a>.
 
@@ -712,8 +712,18 @@
         * <a for="request">cache mode</a>
         * <a for="request">redirect mode</a>
         * <a>cryptographic nonce metadata</a>
+        * <a for="request">referrer policy</a>
         * <a>parser metadata</a>
 
+  :: The following terms are defined in <cite>Referrer Policy</cite> [[!REFERRERPOLICY]]
+
+     * <a for="request">referrer policy</a>
+     * The <dfn>`Referrer-Policy`</dfn> HTTP header
+     * The <dfn>parse a referrer policy from a <code>`Referrer-Policy`</code> header</dfn> algorithm
+     * The "<dfn><code>no-referrer</code></dfn>",
+             "<dfn><code>no-referrer-when-downgrade</code></dfn>", and
+             "<dfn><code>unsafe-url</code></dfn>" referrer policies
+
   : Web IDL
   :: The IDL fragments in this specification must be interpreted as required for conforming IDL
       fragments, as described in the Web IDL specification. [[!WEBIDL]]
@@ -3770,6 +3780,33 @@
   <i>missing value default</i>, used when the attribute is omitted, is the
   <dfn state for="cors">No CORS</dfn> state.
 
+ <h4 id="referrer-policy-attributes">Referrer policy attributes</h4>
+
+  A <dfn export="">referrer policy attribute</dfn> is an <a>enumerated attribute</a>.
+  Each <a>referrer policy</a>, including the empty string, is a keyword for this attribute,
+  mapping to a state of the same name.
+
+  The attribute's <a>invalid value default</a> and <a>missing value default</a>
+  are both the empty string state.
+
+  The impact of these states on the processing model of various <a>fetches</a> is defined
+  in more detail throughout this specification, in the WHATWG Fetch standard, and in <cite>Referrer Policy</cite>.
+  [[!FETCH]] [[!REFERRERPOLICY]]
+
+  <div class="note">
+   Several signals can contribute to which processing model is used for a given <a>fetch</a>;
+   a <a>referrer policy attribute</a> is only one of them. In general, the order in which these signals are processed are:
+   <ol>
+    <li>First, the presence of a <{link/}noreferrer}> link
+    type;</li>
+    <li>Then, the value of a <a>referrer policy attribute</a>;</li>
+    <li>Then, the presence of any <{meta}> element with <a><code
+    for="attr-meta-name">name</code></a> attribute set to <a><code>referrer</code></a>.</li>
+    <li>Finally, the <code>`Referrer-Policy`</code> HTTP
+    header.</li>
+   </ol>
+  </div>
+
 <h3 id="common-dom-interfaces">Common DOM interfaces</h3>
 
 <h4 id="reflecting-content-attributes-in-idl-attributes">Reflecting content attributes in IDL attributes</h4>

sections/semantics-document-metadata.include

@@ -332,6 +332,7 @@
     <dd><code>nonce</code> — Cryptographic nonce used in Content Security Policy checks [[CSP3]]</dd>
     <dd><code>hreflang</code> — Language of the linked resource</dd>
     <dd><code>type</code> — Hint for the type of the referenced resource</dd>
+    <dd><code>referrerpolicy</code> - <a>Referrer policy</a> for <a>fetches</a> initiated by the element</dd>
     <dd><code>sizes</code> — Sizes of the icons (for <{link/rel}>="<code>icon</code>")</dd>
     <dd>
       Also, the <{link/title}> attribute has special semantics on this element:  Title of the
@@ -357,7 +358,8 @@
           [CEReactions] attribute DOMString hreflang;
           [CEReactions] attribute DOMString type;
           [CEReactions, SameObject, PutForwards=value] readonly attribute DOMTokenList sizes;
-        };
+          [CEReactions] attribute DOMString referrerPolicy;
+       };
         HTMLLinkElement implements LinkStyle;
       </pre>
     </dd>
@@ -463,7 +465,10 @@
   For <a>external resource links</a>, the <{link/type}> attribute is used as a hint to user agents
   so that they can avoid fetching resources they do not support.
 
-  <!-- def <{link/referrerpolicy}> -->
+  The <dfn element-attr for="link"><code>referrerpolicy</code></dfn> attribute is a
+  <a>referrer policy attribute</a>. It is intended for use with <a>external resource links</a>,
+  where it helps set the <a>referrer policy</a> used when <a>obtaining</a> the external resource.
+  [[!REFERRERPOLICY]].
 
   The <dfn element-attr for="link"><code>title</code></dfn> attribute gives the title of the link.
   With one exception, it is purely advisory. The value is text. The exception is for style sheet
@@ -525,6 +530,10 @@
 
   <!-- def {{HTMLLinkElement/referrerPolicy}} -->
 
+  The <dfn attribute for="HTMLLinkElement"><code>referrerPolicy</code></dfn> IDL attribute must
+  <a>reflect</a> the <code>referrerpolicy</code>
+  content attribute, <a>limited to only known values</a>.
+
   The IDL attribute <dfn attribute for="HTMLLinkElement"><code>relList</code></dfn> must
   <a>reflect</a> the <{link/rel}> content attribute.
 
@@ -630,7 +639,9 @@
       {{Window}} object's <a>environment settings object</a>.
   6. Set <var>request</var>'s <a>cryptographic nonce metadata</a> to the current state of the
       <{link}> element's <{link/nonce}> content attribute.
-  7. <a>Fetch</a> <var>request</var>.
+  7. Set <var>request</var>'s <a>referrer policy</a> to the current state of the
+      <{link}> element's <{link/referrerpolicy}> content attribute.
+  8. <a>Fetch</a> <var>request</var>.
 
   User agents may opt to only try to obtain such resources when they are needed, instead of
   pro-actively fetching all the external resources that are not applied.
@@ -963,6 +974,63 @@
           inappropriate keywords.
         </p>
 
+  : <dfn><code>referrer</code></dfn>
+
+  :: The value must be a <a>referrer policy</a>, which defines the default
+     <a>referrer policy</a> for the <code>Document</code>. [[!REFERRERPOLICY]]
+
+     If any <code>meta</code> elements are <a>inserted into the document</a> or
+     <a>removed from the document</a>, or existing <code>meta</code> elements have their <code>name</code>
+     or <code>content</code> attributes changed, user agents must run the following algorithm:
+
+     1. <p>Let <var>candidate elements</var> be the list of all <code>meta</code> elements that
+        meet the following criteria, in <a>tree order</a>:</p>
+
+        <ul class="brief">
+         <li>The element is <a>in a document tree</a></li>
+         <li>The element has a <code>name</code> attribute, whose value is <code>referrer</code></li>
+         <li>The element has a <code>content</code> attribute, whose value is not the empty string</li>
+         <li>The element is a child of the <{head}> element of the document</li>
+        </ul>
+
+     2. For each <var>element</var> in <var>candidate elements</var>:
+
+         1. <p>Let <var>value</var> be the value of <var>element</var>'s <code>content</code> attribute,
+            converted to [=ASCII lowercase=].</p></li>
+
+         2. <p>If <var>value</var> is one of the values given in the first column of the following
+            table, then set <var>value</var> to the value given in the second column:</p>
+
+            <table>
+             <thead>
+              <tr>
+               <th>Legacy value
+               <th>Referrer policy
+             <tbody>
+              <tr>
+               <td><code>never</code>
+               <td><code>no-referrer</code>
+              <tr>
+               <td><code>default</code>
+               <td><code>no-referrer-when-downgrade</code>
+              <tr>
+               <td><code>always</code>
+               <td><code>unsafe-url</code>
+              <tr>
+               <td><code>origin-when-crossorigin</code>
+               <td><code>origin-when-cross-origin</code>
+            </table>
+
+          3. <p>If <var>value</var> is a <a>referrer policy</a>, then set <var>element</var>'s
+             <a>node document</a>'s <a>referrer policy</a> to <var>policy</var>.</p>
+
+
+      <p class="note">The fact that these steps are applied for each element enables <a
+      href="https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values">deployment of
+      fallback values for older user agents</a>. [[!REFERRERPOLICY]]</p>
+
+     </div>
+
 <h5 id="other-metadata-names">Other metadata names</h5>
 
   <dfn lt="register the names|register the name|metadata names">Extensions to the predefined set of metadata names</dfn> may be registered in the