[Webkit-unassigned] [Bug 272683] Referrer-Policy 'unsafe-url' and co. supported for same-site URLs

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 16 11:28:59 PDT 2024


--- Comment #1 from Sam Sneddon [:gsnedders] <gsnedders at apple.com> ---
This is to do with ITP's stripping of referrers, after Referrer-Policy has already been applied.

https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/ says:

> ITP now downgrades all cross-site request referrer headers to just the page’s origin. Previously, this was only done for cross-site requests to classified domains.

It is perhaps surprising that we're doing this for cross-site rather than cross-origin, given it means that our behaviour cannot be described in terms of Referrer-Policy alone.

It would perhaps be worthwhile consider simply considering all weaker Referrer-Policy policies as identical to origin-when-cross-origin (v. the (non-existent) "origin-when-cross-site" of our current behaviour), or even just never allow anything weaker than the default strict-origin-when-cross-origin.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240416/7df6591a/attachment-0001.htm>

More information about the webkit-unassigned mailing list