Summary: | Change default referrer policy to strict-origin-when-cross-origin | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | davidvc-webkit | ||||||||||
Component: | Frames | Assignee: | Sam Sneddon [:gsnedders] <gsnedders> | ||||||||||
Status: | RESOLVED FIXED | ||||||||||||
Severity: | Normal | CC: | achristensen, beidson, cdumez, cyb.ai.815, eric.carlson, esprehn+autocc, ews-watchlist, glenn, gsnedders, hta, japhet, jer.noble, kangil.han, kaustubha.reddy, mkwst, philipj, rbuis, sergio, sihui_liu, smoley, tommyw, webkit-bug-importer, wilander, youennf | ||||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||||
Version: | WebKit Nightly Build | ||||||||||||
Hardware: | Unspecified | ||||||||||||
OS: | Unspecified | ||||||||||||
See Also: |
https://github.com/w3c/webappsec-referrer-policy/pull/142 https://bugs.webkit.org/show_bug.cgi?id=215356 https://bugs.webkit.org/show_bug.cgi?id=206957 https://bugs.webkit.org/show_bug.cgi?id=217758 https://bugzilla.mozilla.org/show_bug.cgi?id=1589074 |
||||||||||||
Attachments: |
|
Description
davidvc-webkit
2020-11-13 09:43:57 PST
FYI, https://github.com/w3c/webappsec-referrer-policy/pull/142 has now merged. The only significant difference I'm aware of is in http://wpt.live/referrer-policy/gen/top.http-rp/unset/a-tag.http.html, where WebKit w. ITP enabled sends the full referrer given it uses effectively an eTLD+1-based policy. I think all we need to do here is change our default referrer policy, and then we can drop the resource-load-statistics specific code, so let's just change the title to correspond to that. Ah, no, that's not true. Because unsafe-url and no-referrer-when-downgrade still need the same-site behaviour. Sorry for the noise! Note that ITP downgrades referrers *regardless* of any site policy wanting a more leaky referrer. That is the intended behavior so it’s not just about default policy. Created attachment 433493 [details]
Patch
Comment on attachment 433493 [details]
Patch
r- due to missing tests rebaselines in this patch and EWS bubbles being red.
Created attachment 433577 [details]
Patch
Created attachment 433598 [details]
Patch
Created attachment 433669 [details]
Patch
Comment on attachment 433669 [details]
Patch
r=me
Committed r280081 (239807@main): <https://commits.webkit.org/239807@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 433669 [details]. |