Meta Referrer and origin-when-crossorigin
160 views
Skip to first unread message
Devdatta Akhawe
Jan 25, 2015, 11:20:24 PM1/25/15
to security-dev
Hi everyone
I was playing around with the new meta-referrer directive, and it
seems blink doesn't currently support origin-when-crossorigin
directive.
http://htmlpad.org/referrer-meta-test/
Is there a bug to track the implementation for this feature? I had
kinda imagined Blink would be the first to support it given the
authors of the spec ;)
Additionally, Blink has an even worse behavior: it falls down to
defaulting to "no-referrer" when it sees an unknown value. This
essentially kills internal uses of the Referrer header. As a result,
as a web application author, I can't actually protect users today via
origin-when-crossorigin, even though Firefox supports this directive!
Has this been discussed in the past? Is this considered a bug or a
feature? In general, while it sounds great for security, this seems
like a anti-pattern for the web and longer-term bad for security!
Imagine if older CSP parsers just died with a policy of "none" if they
saw a nonce- directive.
cheers
Dev
I was playing around with the new meta-referrer directive, and it
seems blink doesn't currently support origin-when-crossorigin
directive.
http://htmlpad.org/referrer-meta-test/
Is there a bug to track the implementation for this feature? I had
kinda imagined Blink would be the first to support it given the
authors of the spec ;)
Additionally, Blink has an even worse behavior: it falls down to
defaulting to "no-referrer" when it sees an unknown value. This
essentially kills internal uses of the Referrer header. As a result,
as a web application author, I can't actually protect users today via
origin-when-crossorigin, even though Firefox supports this directive!
Has this been discussed in the past? Is this considered a bug or a
feature? In general, while it sounds great for security, this seems
like a anti-pattern for the web and longer-term bad for security!
Imagine if older CSP parsers just died with a policy of "none" if they
saw a nonce- directive.
cheers
Dev
Mike West
Jan 26, 2015, 12:24:56 AM1/26/15
to Devdatta Akhawe, security-dev
It's implemented in Canary and Dev. I don't recall if we got it in before the latest branch point; might or might not be in Beta shortly.
Regarding the fallback behavior, sounds like something worth raising on public-w webappsec. I'm fairly sure it's the behavior the spec mandates, but I'm certainly open to changing it (as well as the combination behavior, which might not really be workable (and which we haven't implemented yet)).
-mike (on a phone)
Mike West
Jan 26, 2015, 3:47:51 AM1/26/15
to Devdatta Akhawe, security-dev
Now that I'm back at a computer, https://codereview.chromium.org/736233004 is the CL you should go back in time and pay attention to. It landed in time for Chrome 41, so I assume it'll be hitting beta shortly.
-mike
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Devdatta Akhawe
Jan 26, 2015, 12:42:28 PM1/26/15
to Mike West, security-dev
Thanks!
I think I will just discuss the extensibility issues at appsec cali with various folks and then email it out to webappsec.
Reply all
Reply to author
Forward
0 new messages