Intent to Deprecate and Remove: CSP 'referrer' directive

[Emily Stark]

Primary eng (and PM) emails

est...@chromium.org

Summary

The CSP 'referrer' directive allows site owners to set a Referrer Policy (https://w3c.github.io/webappsec-referrer-policy/) for their page from an HTTP header. The 'referrer' directive has been removed from the spec and replaced with the Referrer-Policy header.

Motivation

This feature has very low usage (<= 0.0001% of page loads) and has been obviated by the Referrer-Policy header, which will ship in M56.

Compatibility Risk

Firefox is the only other browser that supports this CSP directive. Thus developers who are using this feature have already accepted the risk that the referrer policy will not be applied to their page for all their users.

Alternative implementation suggestion for web developers

The Referrer-Policy header or the <meta name="referrer"> tag.

Usage information from UseCounter

<= 0.0001% of page loads

Entry on the feature dashboard

There doesn't appear to be a chromestatus entry for CSP 'referrer', but the other Referrer Policy entries are https://www.chromestatus.com/feature/5639972996513792 and https://www.chromestatus.com/feature/5126747842412544

Requesting approval to remove too?

Yes

[Philip Jägenstedt]

LGTM1

[TAMURA, Kent]

LGTM2

--

TAMURA Kent
Software Engineer, Google

[Jochen Eisinger]

lgtm3

[Philip Jägenstedt]

I overlooked this from the other thread:

"""

Actually, in writing up the Intent to Remove, I realized that it looks like Firefox did in fact implement this: https://bugzilla.mozilla.org/show_bug.cgi?id=965727

Does that change the calculus here? Since IE/Edge/Safari don't support it, I think Mike's argument still stands that developers are already putting their users at risk if they're using this feature alone to specify a Referrer Policy.

"""

Have you filed a Gecko bug to have their support removed?

[Emily Stark]

Looks like there is already a bug filed: https://bugzilla.mozilla.org/show_bug.cgi?id=1302449

They are logging a console message for a couple releases, but they also don't have any usage data yet.

[Philip Jägenstedt]

Thanks Emily. Hope the removal works out. Given the support in Firefox I suppose we should be slightly less tolerant of breakage, but let's hope there's none at all.

[Joe Medley]

Emily,

Since the intent is to notify developer's of changes, could you please create a separate status entry for this. Do you have an OWP tracking bug?

FYI Information on Chrome Status triggers much of Developer Relations's outreach. 

Joe

Joe Medley | Technical Writer, Chrome DevRel | jme...@google.com | 816-678-7195

If an API's not documented it doesn't exist.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

[Emily Stark]

On Mon, Oct 24, 2016 at 8:39 AM, Joe Medley <jme...@google.com> wrote:

Emily,

Since the intent is to notify developer's of changes, could you please create a separate status entry for this. Do you have an OWP tracking bug?

My bad, I didn't realize those things were needed for deprecations/removals.

Chrome Status: https://www.chromestatus.com/feature/5680800376815616

OWP bug: https://bugs.chromium.org/p/chromium/issues/detail?id=658761

[Joe Medley]

On Mon, Oct 24, 2016 at 9:43 AM, Emily Stark <est...@chromium.org> wrote:

https://bugs.chromium.org/p/chromium/issues/detail?id=658761

Thanks.

Are you deprecating and removing in a single version or is there going to be a deprecation period?

[Emily Stark]

On Mon, Oct 24, 2016 at 12:05 PM, Joe Medley <jme...@google.com> wrote:

On Mon, Oct 24, 2016 at 9:43 AM, Emily Stark <est...@chromium.org> wrote:

https://bugs.chromium.org/p/chromium/issues/detail?id=658761

Thanks.

Are you deprecating and removing in a single version or is there going to be a deprecation period?

Deprecating and removing in M56, because usage is so low and Edge/Safari don't support it at all.

[valentina...@gmail.com]

yes