Re: Origin and Referrer Policy from Anne van Kesteren on 2019-08-20 (public-webappsec@w3.org from August 2019)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 20 Aug 2019 14:31:43 +0200
To: Francois Marier <francois@brave.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CADnb78iKQfD8y3mnzpzeUN-tqEYLHR3nOpNaai57NAOhbezKHw@mail.gmail.com>

On Thu, Jul 11, 2019 at 2:51 AM Francois Marier <francois@brave.com> wrote:
> The first part of this change makes sense to me: we should ensure that
> the Origin header does not leak more information than the Referer.
>
> However, is there a use case for using a looser policy (unsafe-url,
> origin, origin-when-cross-origin) and including the Origin header on
> HTTPS-to-HTTP downgrades?
>
> Unless there are important use cases for this capability, I'd propose
> honoring the referrer policy only when it's "stricter" than
> no-referrer-when-downgrade.

Does it matter if the information is there in Referrer anyway? Anyway,
I suppose it's reasonable to change this if all implementers are open
to it. Please file an issue against whatwg/fetch to track such an
effort.

Received on Tuesday, 20 August 2019 12:32:28 UTC