Re: Origin and Referrer Policy

On 2019-07-03 04:34, Anne van Kesteren wrote:
> I wanted to bring https://github.com/whatwg/fetch/pull/908 to your
> attention. We tightened the requirements around the Origin header so
> that it follows the Referrer Policy when it's included in requests
> outside of those pertaining the CORS protocol.

The first part of this change makes sense to me: we should ensure that
the Origin header does not leak more information than the Referer.

However, is there a use case for using a looser policy (unsafe-url,
origin, origin-when-cross-origin) and including the Origin header on
HTTPS-to-HTTP downgrades?

Unless there are important use cases for this capability, I'd propose
honoring the referrer policy only when it's "stricter" than
no-referrer-when-downgrade.

Francois

Received on Thursday, 11 July 2019 01:09:27 UTC