https://bugzilla.mozilla.org/show_bug.cgi?id=446344
On Mon, Feb 1, 2016, 10:46 PM Mike West <mkwst@google.com> wrote:
> +Jochen & Emily
>
> On Tue, Feb 2, 2016 at 6:15 AM, Brad Hill <hillbrad@gmail.com> wrote:
>
>> I note that most recent Chrome will change the value of the Origin header
>> on, e.g. a same-origin POST to "null" if there is a meta-referrer policy of
>> 'never' or 'no-referrer'.
>>
>> Should it do this? Seems possibly logical, but there is no mention of
>> this in the spec...
>>
>
> It seems reasonable to limit the leakage in this case, but it does mean
> that pages which specify such a referrer policy couldn't reasonably use
> CORS with credentials. I think that's probably a fine tradeoff, but I agree
> that it should be explicit in the spec.
>
> (Firefox, to my continuing sadness, doesn't send Origin on POST at all.)
>>
>
> Is there a bug on Bugzilla you could point folks to? I didn't see one in a
> quick skim for "Origin header"...
>
> -mike
>