Re: [referrer] Should referrer policy change value of the Origin header? from Brad Hill on 2016-02-02 (public-webappsec@w3.org from February 2016)

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 02 Feb 2016 07:01:11 +0000
To: Mike West <mkwst@google.com>, Jochen Eisinger <eisinger@google.com>, "Emily Stark (Dunn)" <estark@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8jnrD=YOux_+8stoWbDUr8OCxgv9do7M0JsD16xUDiPBw@mail.gmail.com>

https://bugzilla.mozilla.org/show_bug.cgi?id=446344

On Mon, Feb 1, 2016, 10:46 PM Mike West <mkwst@google.com> wrote:

> +Jochen & Emily
>
> On Tue, Feb 2, 2016 at 6:15 AM, Brad Hill <hillbrad@gmail.com> wrote:
>
>> I note that most recent Chrome will change the value of the Origin header
>> on, e.g. a same-origin POST to "null" if there is a meta-referrer policy of
>> 'never' or 'no-referrer'.
>>
>> Should it do this?  Seems possibly logical, but there is no mention of
>> this in the spec...
>>
>
> It seems reasonable to limit the leakage in this case, but it does mean
> that pages which specify such a referrer policy couldn't reasonably use
> CORS with credentials. I think that's probably a fine tradeoff, but I agree
> that it should be explicit in the spec.
>
> (Firefox, to my continuing sadness, doesn't send Origin on POST at all.)
>>
>
> Is there a bug on Bugzilla you could point folks to? I didn't see one in a
> quick skim for "Origin header"...
>
> -mike
>

Received on Tuesday, 2 February 2016 07:01:50 UTC