intent-to-prototype: Disallow relaxing referrer policy for cross-site requests
Tim Huang
Summary:
The HTTP header referer[1] and document.referrer API[2] allows the website to identify where the navigation came from. It contains the URL of the original page that linked to the current page. The referrer information can be useful for various purposes, such as website activity analytics or logging. However, the referrer can be abused for malicious uses, for example, Web tracking or leaking sensitive information.
To mitigate the privacy concern, the referrer policy[3] was proposed. It allows websites to control how much referrer information would be sent with requests. The websites can use it to stop leaking information for sensitive pages or protect users from referrer-based web tracking. But, the information could still be leaked with less strict referrer policies.
To better protect our uses, we want to limit the usage of less strict referrer policies. Firefox will ignore ‘unsafe-url’, ‘no-referrer-when-downgrade’ and ‘origin-when-cross-origin’ for cross-site requests. These policies are weaker than the default policy of Firefox and might have privacy implications with cross-site requests. The prototype was implemented in Firefox 92 and put behind a pref. We will enable and test this protection in Nightly and Early Beta channel.
Bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1720291
Standard:
https://github.com/privacycg/proposals/issues/13
Platform coverage:
All
Preference:
“network.http.referer.disallowCrossSiteRelaxingDefault”
DevTools bug:
none
Other browsers:
Safari has implemented this behavior.
Brave has an even stricter behavior that it restricts less strict policies for all requests.
Chrome and Edge don’t have this protection.
web-platform-test
None
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer
[2] https://developer.mozilla.org/en-US/docs/Web/API/Document/referrer
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
--