Intent to ship: Setting the default referrer policy to ‘strict-origin-when-cross-origin’

88 views
Skip to first unread message

Dimi Lee

unread,
Dec 15, 2020, 7:04:01 AM12/15/20
to dev-pl...@lists.mozilla.org
Summary:
Referrer-policy controls the referrer information sent in the request
header. It can be specified in the response header or in the document. If
no policy is specified, we use the default policy.

Currently, the default is ‘no-referrer-when-downgrade’, which sends the
origin, path, and query string of the URL of the originating document as
the referrer but doesn’t send the referrer when navigating to a less secure
destination (e.g., https: to http:).

We plan to reduce the granularity exposed in the referrer by changing the
default to `strict-origin-when-cross-origin`. In addition to the existing
restrictions, this new default only sends the origin while performing a
cross-origin request (except https: to http:, which doesn’t send the
referrer).

The policy will apply to navigation, redirect, and sub-resource requests.

An illustrative example:
Navigating from https://mozilla.org/path?query to https://example.com when
no referrer-policy is specified:

- Current default: https://mozilla.org/path?query
- New default: https://mozilla.org/

More details:
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1589074

Link to standard:
https://github.com/w3c/webappsec-referrer-policy/pull/142

Platform coverage:
All platforms.

Preference:
network.http.referer.defaultPolicy

Estimated or target release:
86

Is this feature enabled by default in sandboxed iframes?
Yes.

DevTools bug:
No

Do other browser engines implement this?
Chrome has been shipping the behavior since 85.
https://www.chromestatus.com/feature/6251880185331712

Safari has been shipping the behavior with a slight variant.
https://trac.webkit.org/changeset/250413/webkit

Is this feature restricted to secure contexts?
No.

Web-platform-tests:
https://github.com/mozilla/gecko-dev/commit/7c1ab5d4c7dbd1e03e3c1a58aa65de689257adda

Best regards
Dimi
Reply all
Reply to author
Forward
0 new messages