Re: Origin and Referrer Policy

On Thu, Jul 11, 2019 at 2:51 AM Francois Marier <> wrote:
> The first part of this change makes sense to me: we should ensure that
> the Origin header does not leak more information than the Referer.
> However, is there a use case for using a looser policy (unsafe-url,
> origin, origin-when-cross-origin) and including the Origin header on
> HTTPS-to-HTTP downgrades?
> Unless there are important use cases for this capability, I'd propose
> honoring the referrer policy only when it's "stricter" than
> no-referrer-when-downgrade.

Does it matter if the information is there in Referrer anyway? Anyway,
I suppose it's reasonable to change this if all implementers are open
to it. Please file an issue against whatwg/fetch to track such an

Received on Tuesday, 20 August 2019 12:32:28 UTC