Bug 218909

Summary:

Change default referrer policy to strict-origin-when-cross-origin

Product:

WebKit

Reporter:

davidvc-webkit

Component:

Frames

Assignee:

Sam Sneddon [:gsnedders] <gsnedders>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, beidson, cdumez, cyb.ai.815, eric.carlson, esprehn+autocc, ews-watchlist, glenn, gsnedders, hta, japhet, jer.noble, kangil.han, kaustubha.reddy, mkwst, philipj, rbuis, sergio, sihui_liu, smoley, tommyw, webkit-bug-importer, wilander, youennf

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://github.com/w3c/webappsec-referrer-policy/pull/142
https://bugs.webkit.org/show_bug.cgi?id=215356
https://bugs.webkit.org/show_bug.cgi?id=206957
https://bugs.webkit.org/show_bug.cgi?id=217758
https://bugzilla.mozilla.org/show_bug.cgi?id=1589074

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	none
Patch	none

davidvc-webkit

Reported 2020-11-13 09:43:57 PST

There's a pending PR to the referrer policy spec (https://github.com/w3c/webappsec-referrer-policy/pull/142) which changes the default policy to strict-origin-when-cross-origin. This truncates requests' referrers to (at most) their origins on all cross-origin requests that do not explicitly set more permissive policies. As part of the standard process of landing a spec PR, I'm filing this umbrella feature request/tracking bug to keep track of (intentional and unintentional) differences between WebKit and the standardized behavior in these cases.

Attachments
Patch (4.48 KB, patch) 2021-07-14 02:18 PDT, Sam Sneddon [:gsnedders]	no flags	Details Formatted Diff Diff
Patch (48.71 KB, patch) 2021-07-15 05:55 PDT, Sam Sneddon [:gsnedders]	no flags	Details Formatted Diff Diff
Patch (84.93 KB, patch) 2021-07-15 11:08 PDT, Sam Sneddon [:gsnedders]	no flags	Details Formatted Diff Diff
Patch (86.45 KB, patch) 2021-07-16 03:19 PDT, Sam Sneddon [:gsnedders]	no flags	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2020-11-16 18:26:36 PST

<rdar://problem/71468395>

Kaustubha Govind

Comment 2 2020-11-30 07:26:25 PST

FYI, https://github.com/w3c/webappsec-referrer-policy/pull/142 has now merged.

Sam Sneddon [:gsnedders]

Comment 3 2021-06-18 09:00:02 PDT

The only significant difference I'm aware of is in http://wpt.live/referrer-policy/gen/top.http-rp/unset/a-tag.http.html, where WebKit w. ITP enabled sends the full referrer given it uses effectively an eTLD+1-based policy.

Sam Sneddon [:gsnedders]

Comment 4 2021-06-18 09:06:09 PDT

I think all we need to do here is change our default referrer policy, and then we can drop the resource-load-statistics specific code, so let's just change the title to correspond to that.

Sam Sneddon [:gsnedders]

Comment 5 2021-06-18 09:13:11 PDT

Ah, no, that's not true. Because unsafe-url and no-referrer-when-downgrade still need the same-site behaviour. Sorry for the noise!

John Wilander

Comment 6 2021-06-18 10:38:28 PDT

Note that ITP downgrades referrers *regardless* of any site policy wanting a more leaky referrer. That is the intended behavior so it’s not just about default policy.

Sam Sneddon [:gsnedders]

Comment 7 2021-07-14 02:18:29 PDT

Created attachment 433493 [details] Patch

Chris Dumez

Comment 8 2021-07-14 08:18:00 PDT

Comment on attachment 433493 [details] Patch r- due to missing tests rebaselines in this patch and EWS bubbles being red.

Sam Sneddon [:gsnedders]

Comment 9 2021-07-15 05:55:56 PDT

Created attachment 433577 [details] Patch

Sam Sneddon [:gsnedders]

Comment 10 2021-07-15 11:08:37 PDT

Created attachment 433598 [details] Patch