- From: Mike West <notifications@github.com>
- Date: Thu, 16 May 2019 09:24:15 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/903/492990794@github.com>
Based on the limited amount of data gathered in https://bugs.chromium.org/p/chromium/issues/detail?id=959757#c8, I plan to run a short experiment in Chrome Canary/Dev which would strip the `referer` down to an origin if it exceeded 2k (0.1% of requests) or 4k (0.01% of requests). Two things to note: 1. 4k feels like a reasonable limit to aim for. I'm curious about the effect of a tighter limit, but I doubt we'll see statistically relevant changes in any metric between the two. I'm told that some large services cap the `referer` header to 4k server-side, so I'm a bit biased towards that limit given an existence proof of it being acceptable. 2. The patch I landed against Chromium in https://chromium-review.googlesource.com/c/chromium/src/+/1595872 implements the cap by stripping the `referer` header down to an origin (plus a trailing `/`) if it exceeds the limit, as @MattMenke2 raised reasonable concerns about just cutting the string off in the middle. This is fairly certain to be safe (especially given that some vendors strip headers to origins already) but may result in subtle breakage in path-based ACLs that would be hard for us to detect at scale. It might be worth coming back to this implementation question. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/903#issuecomment-492990794
Received on Thursday, 16 May 2019 09:24:46 UTC