W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2019

Re: Origin and Referrer Policy

From: Francois Marier <francois@brave.com>
Date: Wed, 10 Jul 2019 17:51:19 -0700
To: public-webappsec@w3.org
Cc: Anne van Kesteren <annevk@annevk.nl>
Message-ID: <6e8c1753-dcb3-68e1-d763-af3db4a31968@brave.com>
On 2019-07-03 04:34, Anne van Kesteren wrote:
> I wanted to bring https://github.com/whatwg/fetch/pull/908 to your
> attention. We tightened the requirements around the Origin header so
> that it follows the Referrer Policy when it's included in requests
> outside of those pertaining the CORS protocol.

The first part of this change makes sense to me: we should ensure that
the Origin header does not leak more information than the Referer.

However, is there a use case for using a looser policy (unsafe-url,
origin, origin-when-cross-origin) and including the Origin header on
HTTPS-to-HTTP downgrades?

Unless there are important use cases for this capability, I'd propose
honoring the referrer policy only when it's "stricter" than
no-referrer-when-downgrade.

Francois
Received on Thursday, 11 July 2019 01:09:27 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 11 July 2019 01:09:29 UTC