Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Referrer-Policy no-referrer-when-cross-origin #167

Open
Shamar opened this issue Feb 21, 2023 · 7 comments
Open

Add Referrer-Policy no-referrer-when-cross-origin #167

Shamar opened this issue Feb 21, 2023 · 7 comments

Comments

@Shamar
Copy link

Shamar commented Feb 21, 2023
edited
Loading

Please add a new Referrer Policy no-referrer-when-cross-origin that simply force the browser to behave like if no-referrer was specified for cross-origin requests and like if strict-origin was specified for same-origin requests.
@domfarolino
Copy link
Member

Isn't this https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin?

@Shamar
Copy link
Author

Shamar commented Feb 21, 2023
edited
Loading

If so, the specification of same-origin Referrer Policy should clarify the correct behavior of the browser when the referrer is a potentially trustworthy URL but the current URL is not.

@domfarolino
Copy link
Member

What is unclear about the current spec? The full referrer URL is sent if the request is same-origin, and not sent otherwise. The whole thing is contingent based on the URL's origin.

@Shamar
Copy link
Author

Shamar commented Feb 21, 2023
edited
Loading

Simply put, the presence of these examples under strict-origin but not under same-origin.

@domfarolino
Copy link
Member

Every one of those examples under strict-origin are examples of cross-origin requests, because a difference in origin trustworthiness implies cross-origin. I guess we could add one of them to the same-origin example, since they are technically cross-origin, but the reason they exist in the strict-origin example is because they are really trying to showcase how the difference in origin-trustworthiness activates the logic unique to strict-origin.

I suppose we could add an example in the same-origin section of http://example.com fetching a script a https://example.com/script.js, and how that would NOT send a referrer. I'm happy to review a PR if you'd like to send one.

@Amir-Herzberg
Copy link

Adding an example would be nice, but it may be even more desirable to have a comment similar to the one in origin-when-cross-origin, to clarify the different treatment from strict-origin-when-cross-origin. The comment in origin-when-cross-origin is:

NOTE: For the "origin-when-cross-origin" policy, we also consider protocol upgrades, e.g. requests from http://example.com/ to https://example.com/, to be cross-origin-referrer requests.

Possible text for a comment for same-origin:

NOTE: For the "same-origin" policy, we also consider protocol upgrades, e.g. requests from http://example.com/ to https://example.com/, to be cross-origin-referrer requests.

@domfarolino
Copy link
Member

Would you be willing to submit a PR to add this text? I'm happy to review it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Shamar @domfarolino @Amir-Herzberg