- From: Francois Marier <francois@brave.com>
- Date: Wed, 10 Jul 2019 17:51:19 -0700
- To: public-webappsec@w3.org
- Cc: Anne van Kesteren <annevk@annevk.nl>
On 2019-07-03 04:34, Anne van Kesteren wrote: > I wanted to bring https://github.com/whatwg/fetch/pull/908 to your > attention. We tightened the requirements around the Origin header so > that it follows the Referrer Policy when it's included in requests > outside of those pertaining the CORS protocol. The first part of this change makes sense to me: we should ensure that the Origin header does not leak more information than the Referer. However, is there a use case for using a looser policy (unsafe-url, origin, origin-when-cross-origin) and including the Origin header on HTTPS-to-HTTP downgrades? Unless there are important use cases for this capability, I'd propose honoring the referrer policy only when it's "stricter" than no-referrer-when-downgrade. Francois
Received on Thursday, 11 July 2019 01:09:27 UTC