W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2019

Origin and Referrer Policy

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 3 Jul 2019 13:34:08 +0200
Message-ID: <CADnb78gkC=P=yRsr+fJj+OugX1Fu1n2eb3aPUMA_ScjydaSjQg@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Hey all,

I wanted to bring https://github.com/whatwg/fetch/pull/908 to your
attention. We tightened the requirements around the Origin header so that
it follows the Referrer Policy when it's included in requests outside of
those pertaining the CORS protocol.

There's an argument for including the "CORS protocol Origin header" as
well, especially now that new request contexts will use CORS, but it's
unclear to what extent existing content would be adversely affected by such
a policy. If you feel that should be investigated further and have the
resources to drive that, please file an issue at
https://github.com/whatwg/fetch/issues/new to coordinate.

Kind regards,

Anne

P.S.: Please include me directly on replies, if you wish for me to see them.
Received on Wednesday, 3 July 2019 11:34:53 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 3 July 2019 11:34:54 UTC