+Jochen & Emily On Tue, Feb 2, 2016 at 6:15 AM, Brad Hill <hillbrad@gmail.com> wrote: > I note that most recent Chrome will change the value of the Origin header > on, e.g. a same-origin POST to "null" if there is a meta-referrer policy of > 'never' or 'no-referrer'. > > Should it do this? Seems possibly logical, but there is no mention of > this in the spec... > It seems reasonable to limit the leakage in this case, but it does mean that pages which specify such a referrer policy couldn't reasonably use CORS with credentials. I think that's probably a fine tradeoff, but I agree that it should be explicit in the spec. (Firefox, to my continuing sadness, doesn't send Origin on POST at all.) > Is there a bug on Bugzilla you could point folks to? I didn't see one in a quick skim for "Origin header"... -mike
Received on Tuesday, 2 February 2016 06:46:38 UTC