W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: [referrer] Should referrer policy change value of the Origin header?

From: Jochen Eisinger <eisinger@google.com>
Date: Tue, 02 Feb 2016 08:29:25 +0000
Message-ID: <CALjhuif8usGsh-H2gRghcde4h7acFSFyc0OovTqE1L8Rf6ji6Q@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>, Mike West <mkwst@google.com>, "Emily Stark (Dunn)" <estark@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Thanks for the heads up. I don't think that was an intentional change, and
in the past, we decided to keep the origin header for CORS. I agree that we
should say something about this in the spec

On Tue, Feb 2, 2016 at 8:01 AM Brad Hill <hillbrad@gmail.com> wrote:

> https://bugzilla.mozilla.org/show_bug.cgi?id=446344
>
> On Mon, Feb 1, 2016, 10:46 PM Mike West <mkwst@google.com> wrote:
>
>> +Jochen & Emily
>>
>> On Tue, Feb 2, 2016 at 6:15 AM, Brad Hill <hillbrad@gmail.com> wrote:
>>
>>> I note that most recent Chrome will change the value of the Origin
>>> header on, e.g. a same-origin POST to "null" if there is a meta-referrer
>>> policy of 'never' or 'no-referrer'.
>>>
>>> Should it do this?  Seems possibly logical, but there is no mention of
>>> this in the spec...
>>>
>>
>> It seems reasonable to limit the leakage in this case, but it does mean
>> that pages which specify such a referrer policy couldn't reasonably use
>> CORS with credentials. I think that's probably a fine tradeoff, but I agree
>> that it should be explicit in the spec.
>>
>> (Firefox, to my continuing sadness, doesn't send Origin on POST at all.)
>>>
>>
>> Is there a bug on Bugzilla you could point folks to? I didn't see one in
>> a quick skim for "Origin header"...
>>
>> -mike
>>
>
Received on Tuesday, 2 February 2016 08:30:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC