Origin and Referrer Policy from Anne van Kesteren on 2019-07-03 (public-webappsec@w3.org from July 2019)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 3 Jul 2019 13:34:08 +0200
To: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CADnb78gkC=P=yRsr+fJj+OugX1Fu1n2eb3aPUMA_ScjydaSjQg@mail.gmail.com>

Hey all,

I wanted to bring https://github.com/whatwg/fetch/pull/908 to your
attention. We tightened the requirements around the Origin header so that
it follows the Referrer Policy when it's included in requests outside of
those pertaining the CORS protocol.

There's an argument for including the "CORS protocol Origin header" as
well, especially now that new request contexts will use CORS, but it's
unclear to what extent existing content would be adversely affected by such
a policy. If you feel that should be investigated further and have the
resources to drive that, please file an issue at
https://github.com/whatwg/fetch/issues/new to coordinate.

Kind regards,

Anne

P.S.: Please include me directly on replies, if you wish for me to see them.

Received on Wednesday, 3 July 2019 11:34:53 UTC