Intent to Deprecate and Remove: CSP 'referrer' directive

77 views
Skip to first unread message

Emily Stark

unread,
Oct 23, 2016, 3:38:28 PM10/23/16
to blink-dev

Primary eng (and PM) emails

est...@chromium.org


Summary

The CSP 'referrer' directive allows site owners to set a Referrer Policy (https://w3c.github.io/webappsec-referrer-policy/) for their page from an HTTP header. The 'referrer' directive has been removed from the spec and replaced with the Referrer-Policy header.


Motivation

This feature has very low usage (<= 0.0001% of page loads) and has been obviated by the Referrer-Policy header, which will ship in M56.


Compatibility Risk

Firefox is the only other browser that supports this CSP directive. Thus developers who are using this feature have already accepted the risk that the referrer policy will not be applied to their page for all their users.


Alternative implementation suggestion for web developers

The Referrer-Policy header or the <meta name="referrer"> tag.


Usage information from UseCounter

<= 0.0001% of page loads


Entry on the feature dashboard

There doesn't appear to be a chromestatus entry for CSP 'referrer', but the other Referrer Policy entries are https://www.chromestatus.com/feature/5639972996513792 and https://www.chromestatus.com/feature/5126747842412544


Requesting approval to remove too?

Yes

Philip Jägenstedt

unread,
Oct 23, 2016, 4:57:33 PM10/23/16
to Emily Stark, blink-dev
LGTM1

TAMURA, Kent

unread,
Oct 23, 2016, 11:29:45 PM10/23/16
to Philip Jägenstedt, Emily Stark, blink-dev
LGTM2

--
TAMURA Kent
Software Engineer, Google


Jochen Eisinger

unread,
Oct 24, 2016, 12:37:49 AM10/24/16
to TAMURA, Kent, Philip Jägenstedt, Emily Stark, blink-dev
lgtm3

Philip Jägenstedt

unread,
Oct 24, 2016, 6:23:32 AM10/24/16
to Jochen Eisinger, TAMURA, Kent, Emily Stark, blink-dev
I overlooked this from the other thread:

"""
Actually, in writing up the Intent to Remove, I realized that it looks like Firefox did in fact implement this: https://bugzilla.mozilla.org/show_bug.cgi?id=965727

Does that change the calculus here? Since IE/Edge/Safari don't support it, I think Mike's argument still stands that developers are already putting their users at risk if they're using this feature alone to specify a Referrer Policy.
"""

Have you filed a Gecko bug to have their support removed?

Emily Stark

unread,
Oct 24, 2016, 11:17:43 AM10/24/16
to Philip Jägenstedt, Jochen Eisinger, TAMURA, Kent, Emily Stark, blink-dev
Looks like there is already a bug filed: https://bugzilla.mozilla.org/show_bug.cgi?id=1302449

They are logging a console message for a couple releases, but they also don't have any usage data yet.

Philip Jägenstedt

unread,
Oct 24, 2016, 11:32:29 AM10/24/16
to Emily Stark, Jochen Eisinger, TAMURA, Kent, blink-dev
Thanks Emily. Hope the removal works out. Given the support in Firefox I suppose we should be slightly less tolerant of breakage, but let's hope there's none at all.

Joe Medley

unread,
Oct 24, 2016, 11:39:58 AM10/24/16
to Philip Jägenstedt, Emily Stark, Jochen Eisinger, TAMURA, Kent, blink-dev
Emily,

Since the intent is to notify developer's of changes, could you please create a separate status entry for this. Do you have an OWP tracking bug?

FYI Information on Chrome Status triggers much of Developer Relations's outreach. 

Joe

Joe Medley | Technical Writer, Chrome DevRel | jme...@google.com | 816-678-7195
If an API's not documented it doesn't exist.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Emily Stark

unread,
Oct 24, 2016, 12:43:46 PM10/24/16
to Joe Medley, Philip Jägenstedt, Emily Stark, Jochen Eisinger, TAMURA, Kent, blink-dev
On Mon, Oct 24, 2016 at 8:39 AM, Joe Medley <jme...@google.com> wrote:
Emily,

Since the intent is to notify developer's of changes, could you please create a separate status entry for this. Do you have an OWP tracking bug?

My bad, I didn't realize those things were needed for deprecations/removals.

Joe Medley

unread,
Oct 24, 2016, 3:05:41 PM10/24/16
to Emily Stark, Philip Jägenstedt, Jochen Eisinger, TAMURA, Kent, blink-dev

On Mon, Oct 24, 2016 at 9:43 AM, Emily Stark <est...@chromium.org> wrote:
https://bugs.chromium.org/p/chromium/issues/detail?id=658761

Thanks.

Are you deprecating and removing in a single version or is there going to be a deprecation period?

Emily Stark

unread,
Oct 24, 2016, 3:24:47 PM10/24/16
to Joe Medley, Emily Stark, Philip Jägenstedt, Jochen Eisinger, TAMURA, Kent, blink-dev
On Mon, Oct 24, 2016 at 12:05 PM, Joe Medley <jme...@google.com> wrote:

On Mon, Oct 24, 2016 at 9:43 AM, Emily Stark <est...@chromium.org> wrote:
https://bugs.chromium.org/p/chromium/issues/detail?id=658761

Thanks.

Are you deprecating and removing in a single version or is there going to be a deprecation period?

Deprecating and removing in M56, because usage is so low and Edge/Safari don't support it at all.

valentina...@gmail.com

unread,
Feb 24, 2017, 7:42:08 AM2/24/17
to blink-dev
yes
Reply all
Reply to author
Forward
0 new messages