[Webkit-unassigned] [Bug 228324] New: Investigate removing Referrer in all HTTPS -> HTTP cases

Tue Jul 27 08:03:41 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=228324

            Bug ID: 228324
           Summary: Investigate removing Referrer in all HTTPS -> HTTP
                    cases
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: gsnedders at apple.com
                CC: achristensen at apple.com, beidson at apple.com,
                    wilander at apple.com

While less useful in the short term due to SNI providing leakage of the cross-site origin anyway, once ECH has more support the only data available to a passive monitor is the IP address of the secure origin; as such, at that point, it would become a big shame to then be leaking it through the Referer header when navigating to an insecure origin.

This doesn't happen by default on ToT, given the Referrer-Policy default of strict-origin-when-cross-origin means we don't send a Referer in the HTTPS -> HTTP case anyway, but we should probably investigate making all the Referrer-Policy behave like this. (See Bug 228323, which is related insofar as it suggests overriding the policy in other ways.)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210727/8a8bc7a4/attachment.htm>