Clarify that manifest fetches should not send a Referer (w3c-fedid#239)

Fixes w3c-fedid#215
mattdanielbrown · Mar 30, 2022 · b439d86 · b439d86
1 parent 8d1afed
commit b439d86
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/spec/index.bs b/spec/index.bs
@@ -579,8 +579,9 @@ by the [=IDP=].
 
 The manifest discovery endpoint is fetched:
 
-(a) **without** cookies and
-(b) **with** a special [[#Sec-FedCM-CSRF]] header, and
+(a) **without** cookies,
+(b) **with** a special [[#Sec-FedCM-CSRF]] header,
+(c) **without** a [[RFC7231#header.referer|Referer]] header, and
 (c) **without** following [[RFC7231#header.location|HTTP redirects]].
 
 For example: