[referrer] Should referrer policy change value of the Origin header? from Brad Hill on 2016-02-02 (public-webappsec@w3.org from February 2016)

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 02 Feb 2016 05:15:27 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8isku0RSWuH=kSZ+A2ZSf5fkvU4At5nDpOLat2q7EAU4A@mail.gmail.com>

I note that most recent Chrome will change the value of the Origin header
on, e.g. a same-origin POST to "null" if there is a meta-referrer policy of
'never' or 'no-referrer'.

Should it do this?  Seems possibly logical, but there is no mention of this
in the spec...

(Firefox, to my continuing sadness, doesn't send Origin on POST at all.)

-Brad

Received on Tuesday, 2 February 2016 05:16:06 UTC