Re: [referrer] Should referrer policy change value of the Origin header?

Thanks for the heads up. I don't think that was an intentional change, and
in the past, we decided to keep the origin header for CORS. I agree that we
should say something about this in the spec

On Tue, Feb 2, 2016 at 8:01 AM Brad Hill <hillbrad@gmail.com> wrote:

> https://bugzilla.mozilla.org/show_bug.cgi?id=446344
>
> On Mon, Feb 1, 2016, 10:46 PM Mike West <mkwst@google.com> wrote:
>
>> +Jochen & Emily
>>
>> On Tue, Feb 2, 2016 at 6:15 AM, Brad Hill <hillbrad@gmail.com> wrote:
>>
>>> I note that most recent Chrome will change the value of the Origin
>>> header on, e.g. a same-origin POST to "null" if there is a meta-referrer
>>> policy of 'never' or 'no-referrer'.
>>>
>>> Should it do this?  Seems possibly logical, but there is no mention of
>>> this in the spec...
>>>
>>
>> It seems reasonable to limit the leakage in this case, but it does mean
>> that pages which specify such a referrer policy couldn't reasonably use
>> CORS with credentials. I think that's probably a fine tradeoff, but I agree
>> that it should be explicit in the spec.
>>
>> (Firefox, to my continuing sadness, doesn't send Origin on POST at all.)
>>>
>>
>> Is there a bug on Bugzilla you could point folks to? I didn't see one in
>> a quick skim for "Origin header"...
>>
>> -mike
>>
>

Received on Tuesday, 2 February 2016 08:30:08 UTC