[REFERRER] 301 Redirections with cross origin and same origin nodes?

Greetings to all,

Currently there is an open PR updating the referrer policy test suite with
tests to support asserting 301 redirections :

However there is an open question:

Should the final destination of a sub-resource get the same referrer as the
content (img, link, script) and background requests (XHR, Fetch)?

*We have the following scenario:*

Referrer Policy:
Origin when Cross Origin

Protocol transition:
http to http

A priori sub-resource URL:

Final destination of resource:
same origin as browsing context

Start with a cross-origin request for a sub resource which redirects back
to the same origin of the browsing context. I call it a


What is interesting is that Chrome 42 exhibits the following behavior:

a.com/index.html ==> b.com/img.py?with_redirect --> a.com/img.py?final_dest
final_dest gets the *origin only URL* (http://a.com/)

See the test

a.com/index.html ==> b.com/xhr.py?with_redirect --> a.com/xhr.py?final_dest
final_dest gets the *stripped referrer URL* (http://a.com/index.html)

See the test


This only occurs when *origin-when-cross-origin* referrer policy is applied..

My question is:

Should we differentiate between types of resources (content vs bg requests)
when we have swap-origin redirects which start of as a cross-origin
sub-resource request?

Wow, such a mouthful... Drawing diagrams helps... :-)
Also, see the tests linked above.

Please provide some feedback or suggestions.


*Kristijan Burnik*

Software Engineering Intern


Google Germany GmbH

Dienerstraße 12

80331 München

Geschäftsführer: Graham Law, Christine Elizabeth Flores

Registergericht und -nummer: Hamburg, HRB 86891

Sitz der Gesellschaft: Hamburg

Received on Tuesday, 26 May 2015 12:08:41 UTC