Intent to Implement: Referrer-Policy header

[Emily Stark]

[net-dev on BCC]

Contact emails est...@chromium.org, joc...@chromium.org

Spec https://w3c.github.io/webappsec-referrer-policy/ Summary The Referrer-Policy header allows pages to set a referrer policy by sending an HTTP response header. Motivation

The Referrer-Policy header allows web developers to set a referrer policy for a document without editing the HTML (as they would need to if they were to set the policy via <meta> tag). The Referrer-Policy header can also be applied on redirect responses, to modify the referrer policy and Referer header while following redirects.

The Referrer-Policy HTTP header will eventually replace Content Security Policy's 'referrer' directive, as described in this thread.

Interoperability risk Firefox: No public signals Edge: No public signals Safari: No public signals Firefox developers have participated extensively in the Referrer Policy spec and I believe they are planning to implement the Referrer-Policy header, though I can't find a place where they said so publicly. Compatibility risk Adding the Referrer-Policy header will not break existing content (except indirectly, in that we intend to eventually remove the CSP 'referrer' directive once the Referrer-Policy header is shipped, pending measurement of the 'referrer' directive's prevalence in existing content). Once sites are using the Referrer-Policy header, removing the feature will present a privacy loss for sites that are relying on it to prevent secret URLs from leaking in referrer values.

Ongoing technical constraints None Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? Yes or no. Yes OWP launch tracking bug https://crbug.com/619228 Link to entry on the Chrome Platform Status https://www.chromestatus.com/features/5639972996513792 Requesting approval to ship? No

[Emily Stark]

On Fri, Jun 10, 2016 at 5:00 PM, Emily Stark <est...@chromium.org> wrote:

[net-dev on BCC]

Contact emails est...@chromium.org, joc...@chromium.org

Spec https://w3c.github.io/webappsec-referrer-policy/ Summary The Referrer-Policy header allows pages to set a referrer policy by sending an HTTP response header. Motivation

The Referrer-Policy header allows web developers to set a referrer policy for a document without editing the HTML (as they would need to if they were to set the policy via <meta> tag). The Referrer-Policy header can also be applied on redirect responses, to modify the referrer policy and Referer header while following redirects.

The Referrer-Policy HTTP header will eventually replace Content Security Policy's 'referrer' directive, as described in this thread.

Interoperability risk Firefox: No public signals Edge: No public signals Safari: No public signals Firefox developers have participated extensively in the Referrer Policy spec and I believe they are planning to implement the Referrer-Policy header, though I can't find a place where they said so publicly.

Er, somehow I completely failed to find this bug with Firefox's plans to support it: https://bugzilla.mozilla.org/show_bug.cgi?id=1264164

[Mike West]

Non-owner's LGTM for this; I'm especially excited about being able to drop the deprecated CSP directive that we, but no one else, implemented.

-mike

[Rick Byers]

Given that there would be privacy implications to removing this (which could make us more cautious than normal when the usage is small) it would be nice to have some signal from Edge and/or Safari.  Has anyone asked them?

But it does look like Firefox is likely to ship this soon (I updated the chromestatus entry).  So that's enough for me: LGTM1

[Rick Byers]

Oh whoops, I was thinking this was an "implement and ship" - sorry.  Let's revisit once there's an implementation behind a flag (and hopefully more discussion with other vendors).