[Webkit-unassigned] [Bug 228323] New: [ITP] Investigating making cross-site Referrer stripping stricter, using origin

Tue Jul 27 06:50:36 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=228323

            Bug ID: 228323
           Summary: [ITP] Investigating making cross-site Referrer
                    stripping stricter, using origin
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: gsnedders at apple.com
                CC: achristensen at apple.com, beidson at apple.com,
                    wilander at apple.com

Currently on ToT, with the Referrer-Policy default now strict-origin-when-cross-origin, the ITP cross-site referrer stripping only applies when a Referrer-Policy of unsafe-url or no-referrer-when-downgrade is set.

It would be worthwhile seeing if we can get away (compat wise) with making ITP stricter than the current cross-site restrictions; specifically, it would be nice to see if we could enforce this on origin boundaries as this would mean we could simply treat unsafe-url as origin-when-cross-origin and no-referrer-when-downgrade as strict-origin-when-cross-origin.

To me, this is aesthetically nicer, as our behaviour can then always be explained in terms of Referrer-Policy.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210727/7f85f4a2/attachment.htm>