Re: Origin and Referrer Policy

On Thu, Jul 11, 2019 at 9:28 PM Daniel Veditz <dveditz@mozilla.com> wrote:

> On Wed, Jul 10, 2019 at 6:10 PM Francois Marier <francois@brave.com>
> wrote:
>
>> On 2019-07-03 04:34, Anne van Kesteren wrote:
>> > I wanted to bring https://github.com/whatwg/fetch/pull/908 to your
>> attention
>>
>> The first part of this change makes sense to me: we should ensure that
>> the Origin header does not leak more information than the Referer.
>>
>
> Yes, but note that PR only applies to NON-cors requests. For CORS requests
> that spec will send the Origin: even if the ReferrerPolicy is no-referrer.
> I personally (chair hat definitely off!) disagree and think it should send
> null in the no-referrer case. CORS does this for cross-origin redirects so
> the servers already have to handle that case.
>

Won't that make it pretty much impossible to adopt an RP of `no-referrer`
because it will prevent the application from using CORS? Or, worse,
developers will allow requests with `Origin: null` without realizing they
are opening resources up for cross-origin access. The fact that this
happens for cross-origin redirects isn't a similar problem for developers
because they generally avoid redirects for latency reasons and prefer to
request the post-redirect URL where possible.

Something to keep in mind is that the destinations of CORS requests are
generally under the control of the application and the application has a
certain degree of trust in them, as opposed to outgoing links (not to
mention that sending only the origin addresses most of the Referrer
problems related to disclosing URL paths/parameters with sensitive
information). If we really want to remove the Origin from CORS requests
then I think this would require a new RP opt-in;
`no-referrer-no-really-i-mean-it` seems to fit in nicely with the current
naming scheme.