[whatwg/fetch] Referrer determination should be done on updated URLs in main fetch (Issue #1727) from meacer on 2023-12-14 (public-webapps-github@w3.org from December 2023)

From: meacer <notifications@github.com>
Date: Thu, 14 Dec 2023 10:27:30 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1727@github.com>

### What is the issue with the Fetch Standard?

In Main Fetch, HSTS upgrade step (4.1.10) runs after referrer determination steps. As a result of this, a request upgraded via HSTS may not have the correct referrer.

For example, a request with `no-referrer-when-downgrade` policy would normally drop the referrer when navigating from HTTPS to HTTP. If HSTS upgrades the HTTP URL to HTTPS, there's effectively no downgrade, so the referrer should actually not be dropped.

Ideally, the referrer determination should be made on the upgraded URL so as not to over-aggressively drop referrer information.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1727
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1727@github.com>

Received on Thursday, 14 December 2023 18:27:35 UTC