W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

[REFERRER] 301 Redirections with cross origin and same origin nodes?

From: Kristijan Burnik <burnik@google.com>
Date: Tue, 26 May 2015 14:06:15 +0200
Message-ID: <CANJwyhVp+gR+Bb0t=F2=VQsL0YU7Q4KrL6moTEPkwkWG8FL1RA@mail.gmail.com>
To: public-webappsec@w3.org
Greetings to all,

Currently there is an open PR updating the referrer policy test suite with
tests to support asserting 301 redirections :

However there is an open question:

Should the final destination of a sub-resource get the same referrer as the
content (img, link, script) and background requests (XHR, Fetch)?

*We have the following scenario:*

Referrer Policy:
Origin when Cross Origin

Protocol transition:
http to http

A priori sub-resource URL:

Final destination of resource:
same origin as browsing context

Start with a cross-origin request for a sub resource which redirects back
to the same origin of the browsing context. I call it a


What is interesting is that Chrome 42 exhibits the following behavior:

a.com/index.html ==> b.com/img.py?with_redirect --> a.com/img.py?final_dest
final_dest gets the *origin only URL* (http://a.com/)

See the test

a.com/index.html ==> b.com/xhr.py?with_redirect --> a.com/xhr.py?final_dest
final_dest gets the *stripped referrer URL* (http://a.com/index.html)

See the test


This only occurs when *origin-when-cross-origin* referrer policy is applied..

My question is:

Should we differentiate between types of resources (content vs bg requests)
when we have swap-origin redirects which start of as a cross-origin
sub-resource request?

Wow, such a mouthful... Drawing diagrams helps... :-)
Also, see the tests linked above.

Please provide some feedback or suggestions.


*Kristijan Burnik*

Software Engineering Intern


Google Germany GmbH

Dienerstraße 12

80331 München

Geschäftsführer: Graham Law, Christine Elizabeth Flores

Registergericht und -nummer: Hamburg, HRB 86891

Sitz der Gesellschaft: Hamburg
Received on Tuesday, 26 May 2015 12:08:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:49 UTC