Re: Origin and Referrer Policy from Daniel Veditz on 2019-07-11 (public-webappsec@w3.org from July 2019)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 11 Jul 2019 12:26:13 -0700
To: Francois Marier <francois@brave.com>
Cc: WebAppSec WG <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CADYDTCD7_fe8VTZGcLdHwMz8vUEk7qCyVNvjZ7AhYEqSYzDM8A@mail.gmail.com>

On Wed, Jul 10, 2019 at 6:10 PM Francois Marier <francois@brave.com> wrote:

> On 2019-07-03 04:34, Anne van Kesteren wrote:
> > I wanted to bring https://github.com/whatwg/fetch/pull/908 to your
> attention
>
> The first part of this change makes sense to me: we should ensure that
> the Origin header does not leak more information than the Referer.
>

Yes, but note that PR only applies to NON-cors requests. For CORS requests
that spec will send the Origin: even if the ReferrerPolicy is no-referrer.
I personally (chair hat definitely off!) disagree and think it should send
null in the no-referrer case. CORS does this for cross-origin redirects so
the servers already have to handle that case.

-Dan Veditz

Received on Thursday, 11 July 2019 19:26:48 UTC