W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: [referrer] Should referrer policy change value of the Origin header?

From: Mike West <mkwst@google.com>
Date: Tue, 2 Feb 2016 07:45:42 +0100
Message-ID: <CAKXHy=cb9HDkwvQKDug925dYrE8zAbQ=-hhYaYFqHcOMCfrQTA@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>, Jochen Eisinger <eisinger@google.com>, "Emily Stark (Dunn)" <estark@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
+Jochen & Emily

On Tue, Feb 2, 2016 at 6:15 AM, Brad Hill <hillbrad@gmail.com> wrote:

> I note that most recent Chrome will change the value of the Origin header
> on, e.g. a same-origin POST to "null" if there is a meta-referrer policy of
> 'never' or 'no-referrer'.
> Should it do this?  Seems possibly logical, but there is no mention of
> this in the spec...

It seems reasonable to limit the leakage in this case, but it does mean
that pages which specify such a referrer policy couldn't reasonably use
CORS with credentials. I think that's probably a fine tradeoff, but I agree
that it should be explicit in the spec.

(Firefox, to my continuing sadness, doesn't send Origin on POST at all.)

Is there a bug on Bugzilla you could point folks to? I didn't see one in a
quick skim for "Origin header"...

Received on Tuesday, 2 February 2016 06:46:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC