CSP 'referrer' directive: deprecate or remove?

[Emily Stark]

I'd like to remove the CSP 'referrer' directive. This directive sets a Referrer Policy for the page and has been obviated by the Referrer-Policy header.

The directive is seen on <= 0.0001% of page loads. However, removing the directive has privacy implications for pages that are using it. (For example, a page might have set a 'referrer' directive of 'no-referrer' to never send referrers on outgoing requests, and removing the CSP directive means that the page will silently start sending referrers again.)

Do any API owners have an opinion about whether we should go straight to removing the directive, or if it would be preferable to deprecate with a console message for a couple releases first?

Thanks,

Emily

[Philip Jägenstedt]

Is this a maintenance burden and do you expect that moving slowly would make it harder to remove? If not, then maybe deprecate for 1-2 releases? I also wonder if CSP reporting might be abused here to tell people that their using a deprecated part of CSP?

[Mike West]

I think the risk to developers is minimal, as Chrome is the only browser that shipped this header, meaning that developers who aren't specifying a policy in a more universal way are already putting their users at risk. No other browser is going to ship this directive, and the usage is minimal.

Non-owner's LGTM to just remove the code. Deprecating for one release sounds reasonable if folks are worried about the risk, but I don't really think the risk is worth worrying about. :)

Adding a "this is deprecated" message to CSP's reporting mechanism is interesting, but I think it would be better to define a real notification mechanism on top of http://wicg.github.io/reporting/. Rick, wasn't this on your team's list somewhere? I'd be interested in sketching that out with y'all, if so.

-mike

[Philip Jägenstedt]

Oh, so it was only ever shipped by Chrome. Is https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy totally wrong about the support for the Referrer-Policy header? If that already works in a few places, then indeed it seems likely that both mechanisms are used. So risk wise direct removal would probably work out.

(The deprecation reporting idea is https://crbug.com/564071, was just curious if it might be easy to experiment with the idea here, but if it'd be more than 10 lines of code I agree let's keep that idea separate.)

Are console messages logged when you have a typo in the CSP header? If not, that might help catch other mistakes, and would help developers figure out what's happened.

[Jochen Eisinger]

The Referrer-Policy header is different from the CSP header with the referrer directive.

We recently shipped the Referrer-Policy header. Now we'd like to remove the referrer directive from the CSP header.

[Philip Jägenstedt]

My question about console messages was answered in the affirmative in the reflected-xss thread, so assuming that migrating to Referrer-Policy is easy, doing immediate removal in this case too SGTM.

[Emily Stark]

Alright, thanks all for the input! I'll send an official Intent to Remove.

[Emily Stark]

Actually, in writing up the Intent to Remove, I realized that it looks like Firefox did in fact implement this: https://bugzilla.mozilla.org/show_bug.cgi?id=965727

Does that change the calculus here? Since IE/Edge/Safari don't support it, I think Mike's argument still stands that developers are already putting their users at risk if they're using this feature alone to specify a Referrer Policy.