- From: arturjanc <notifications@github.com>
- Date: Wed, 18 Apr 2018 08:47:37 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/700/382434466@github.com>
One valid question that came up recently in a related discussion is why developers cannot use the `Referer` header as source of information about the requesting origin, as opposed to the origin being provided in the `Sec-Site` header. The main reason for this is that developers cannot count on the `Referer` always being present in legitimate requests: it is stripped on HTTPS->HTTP transitions, on navigations performed in a new window (`about:blank` + navigation via JS -- used intentionally by many applications to protect users from URLs leaking to third parties), etc. This means that in order to not break existing users applications must be willing to accept requests without a `Referer`; as a result, an attacker could remove the referrer from their requests and the server would have to process them as usual, removing the protections we're hoping to get from `Sec-Site`. (Some applications could certainly do without the origin at all, and reject all `cross-origin` requests for authenticated resources, but this runs into the problem of insufficient granularity that Mike mentioned in https://github.com/whatwg/fetch/issues/700#issuecomment-381519400) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/700#issuecomment-382434466
Received on Wednesday, 18 April 2018 15:48:02 UTC