PSA: New default referrer policy arriving in M89

Skip to first unread message

David Van Cleve

Nov 17, 2020, 5:42:40 PM11/17/20
to Chromium Embedders
TL;DR: The base::Feature controlling the default referrer policy's change to strict-origin-when-cross-origin has been enabled by default in r828098 (and will shortly be removed as part of cleaning up the rollout).

This means cross-origin requests will have referrers (as manifested in the HTTP Referer header and the Document.referrer API) bearing only the requests' initiating origins in situations where these referrers would previously have contained full initiating URLs.

Why does this matter?

Some sites inspect referrers for access control or for analytics. We've received reports of isolated breakage while rolling this change out. Depending on the embedding product, testing or developer outreach might be appropriate to understand or mitigate the compatibility impact.
Reply all
Reply to author
0 new messages