W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2019

Re: Origin and Referrer Policy

From: Artur Janc <aaj@google.com>
Date: Fri, 12 Jul 2019 12:43:24 +0200
Message-ID: <CAPYVjqoOmL62RvqkROUnam=Mvkk8tEZJV1sxft2KkQn-mDpnQg@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Francois Marier <francois@brave.com>, WebAppSec WG <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>
On Thu, Jul 11, 2019 at 9:28 PM Daniel Veditz <dveditz@mozilla.com> wrote:

> On Wed, Jul 10, 2019 at 6:10 PM Francois Marier <francois@brave.com>
> wrote:
>
>> On 2019-07-03 04:34, Anne van Kesteren wrote:
>> > I wanted to bring https://github.com/whatwg/fetch/pull/908 to your
>> attention
>>
>> The first part of this change makes sense to me: we should ensure that
>> the Origin header does not leak more information than the Referer.
>>
>
> Yes, but note that PR only applies to NON-cors requests. For CORS requests
> that spec will send the Origin: even if the ReferrerPolicy is no-referrer.
> I personally (chair hat definitely off!) disagree and think it should send
> null in the no-referrer case. CORS does this for cross-origin redirects so
> the servers already have to handle that case.
>

Won't that make it pretty much impossible to adopt an RP of `no-referrer`
because it will prevent the application from using CORS? Or, worse,
developers will allow requests with `Origin: null` without realizing they
are opening resources up for cross-origin access. The fact that this
happens for cross-origin redirects isn't a similar problem for developers
because they generally avoid redirects for latency reasons and prefer to
request the post-redirect URL where possible.

Something to keep in mind is that the destinations of CORS requests are
generally under the control of the application and the application has a
certain degree of trust in them, as opposed to outgoing links (not to
mention that sending only the origin addresses most of the Referrer
problems related to disclosing URL paths/parameters with sensitive
information). If we really want to remove the Origin from CORS requests
then I think this would require a new RP opt-in;
`no-referrer-no-really-i-mean-it` seems to fit in nicely with the current
naming scheme.
Received on Friday, 12 July 2019 10:44:00 UTC

This archive was generated by hypermail 2.3.1 : Friday, 12 July 2019 10:44:01 UTC