Intent to Implement and Ship: Referrer policies 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin'

[Emily Stark]

Contact emails

est...@chromium.org, joc...@chromium.org

Spec

https://w3c.github.io/webappsec-referrer-policy/

No TAG review for this specific part of the spec, as it's a small extension of the existing Referrer Policy feature.

Summary

The Referrer Policy specification includes three policy values that Chrome doesn't yet implement:

- same-origin: Send full referrers same-origin, no referrers cross-origin.

- strict-origin: Strip referrers to the origin, but strip them entirely when downgrading from HTTPS to HTTP.

- strict-origin-when-cross-origin: Send full referrers same-origin, strip to the origin when cross-origin, and strip referrers entirely when downgrading from HTTPS to HTTP.

Motivation

These policy values give site owners more control over what referrer information is sent cross-origin or over insecure connections. A number of site owners have chimed in on a bug to ask Chrome to support these policies (which Firefox already supports).

Interoperability risk

Firefox: Shipped

Edge: No public signals

Safari: No public signals

Web developers: Positive (based on bug discussion)

Debuggability

Referrer policies for network requests are viewable in DevTools.

Interoperability and Compatibility risk

Interop risk is low; Firefox already supports. These policies are covered in the fairly comprehensive set of web-platform-tests for Referrer Policy. Rolling out these new policy values should not break any existing web content.

Ongoing technical constraints

None

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,

Chrome OS, Android, and Android WebView)? Yes

OWP launch tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=729571

Link to entry on the Chrome Platform Status

https://www.chromestatus.com/features/5634117806850048

Requesting approval to ship?

Yes

[Chris Harrelson]

LGTM1

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2Sb1bv5U%2BdDTj9j4rLmrUdw%2B6S8EkmEWa6dok%2BfKTLUUgA%40mail.gmail.com.

[Rick Byers]

LGTM2

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-apQa8BfsQrWyWT0ryrfCfL9M32SBnrULZmx6i0XNong%40mail.gmail.com.

[Mike West]

Non-OWNER's LGTM from me. Thanks for circling back to this, Emily. Shipping these policies will let us close the book on the Referrer Policy spec, and give WebKit and Edge a clear target to match.

It looks like these new policies are already covered by the suite in https://github.com/w3c/web-platform-tests/tree/master/referrer-policy, so I'm excited to see us start passing them. :)

-mike

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY90AUo5gqZRWkY%2BSLCZgsO8wRGb15vGnmPGJrpLHw-nDA%40mail.gmail.com.

[Philip Jägenstedt]

LGTM3

Would you mind adding a link to https://github.com/w3c/web-platform-tests/tree/master/referrer-policy from the spec itself? It's good PR for wpt, but if this were done for almost all specs, I think there are some interesting bits of tooling one could build.

LGTM2

LGTM1

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2Sb1bv5U%2BdDTj9j4rLmrUdw%2B6S8EkmEWa6dok%2BfKTLUUgA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-apQa8BfsQrWyWT0ryrfCfL9M32SBnrULZmx6i0XNong%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY90AUo5gqZRWkY%2BSLCZgsO8wRGb15vGnmPGJrpLHw-nDA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DfL1RjBVHrBDhFwJGdM7j%2BTDTF%3D_e3L02C%3DcWGkK%2Bjqgg%40mail.gmail.com.

[Emily Stark]

On Wed, Jun 7, 2017 at 6:06 AM, Philip Jägenstedt <foo...@chromium.org> wrote:

LGTM3

Would you mind adding a link to https://github.com/w3c/web-platform-tests/tree/master/referrer-policy from the spec itself? It's good PR for wpt, but if this were done for almost all specs, I think there are some interesting bits of tooling one could build.

I happened to just merge your PR for that. :) It's live on https://w3c.github.io/webappsec-referrer-policy now.

 

LGTM2

LGTM1

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2Sb1bv5U%2BdDTj9j4rLmrUdw%2B6S8EkmEWa6dok%2BfKTLUUgA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-apQa8BfsQrWyWT0ryrfCfL9M32SBnrULZmx6i0XNong%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY90AUo5gqZRWkY%2BSLCZgsO8wRGb15vGnmPGJrpLHw-nDA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

[Philip Jägenstedt]

On Wed, Jun 7, 2017 at 10:08 PM Emily Stark <est...@chromium.org> wrote:

On Wed, Jun 7, 2017 at 6:06 AM, Philip Jägenstedt <foo...@chromium.org> wrote:

LGTM3

Would you mind adding a link to https://github.com/w3c/web-platform-tests/tree/master/referrer-policy from the spec itself? It's good PR for wpt, but if this were done for almost all specs, I think there are some interesting bits of tooling one could build.

I happened to just merge your PR for that. :) It's live on https://w3c.github.io/webappsec-referrer-policy now.

Ha, I was confused when I couldn't see it and assumed that wasn't the spec I'd sent a PR for :)

 

LGTM2

LGTM1

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2Sb1bv5U%2BdDTj9j4rLmrUdw%2B6S8EkmEWa6dok%2BfKTLUUgA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-apQa8BfsQrWyWT0ryrfCfL9M32SBnrULZmx6i0XNong%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY90AUo5gqZRWkY%2BSLCZgsO8wRGb15vGnmPGJrpLHw-nDA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DfL1RjBVHrBDhFwJGdM7j%2BTDTF%3D_e3L02C%3DcWGkK%2Bjqgg%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2SYUmFOxi3AGs26vSSLRz1WdtLMvNJZ_fW_2MC_yhU%2B64g%40mail.gmail.com.