W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2019

Re: Origin and Referrer Policy

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 20 Aug 2019 14:31:43 +0200
Message-ID: <CADnb78iKQfD8y3mnzpzeUN-tqEYLHR3nOpNaai57NAOhbezKHw@mail.gmail.com>
To: Francois Marier <francois@brave.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Jul 11, 2019 at 2:51 AM Francois Marier <francois@brave.com> wrote:
> The first part of this change makes sense to me: we should ensure that
> the Origin header does not leak more information than the Referer.
>
> However, is there a use case for using a looser policy (unsafe-url,
> origin, origin-when-cross-origin) and including the Origin header on
> HTTPS-to-HTTP downgrades?
>
> Unless there are important use cases for this capability, I'd propose
> honoring the referrer policy only when it's "stricter" than
> no-referrer-when-downgrade.

Does it matter if the information is there in Referrer anyway? Anyway,
I suppose it's reasonable to change this if all implementers are open
to it. Please file an issue against whatwg/fetch to track such an
effort.
Received on Tuesday, 20 August 2019 12:32:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 August 2019 12:32:29 UTC