Bug 218909

Summary: Change default referrer policy to strict-origin-when-cross-origin
Product: WebKit Reporter: davidvc-webkit
Component: FramesAssignee: Sam Sneddon [:gsnedders] <gsnedders>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, beidson, cdumez, cyb.ai.815, eric.carlson, esprehn+autocc, ews-watchlist, glenn, gsnedders, hta, japhet, jer.noble, kangil.han, kaustubha.reddy, mkwst, philipj, rbuis, sergio, sihui_liu, smoley, tommyw, webkit-bug-importer, wilander, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://github.com/w3c/webappsec-referrer-policy/pull/142
https://bugs.webkit.org/show_bug.cgi?id=215356
https://bugs.webkit.org/show_bug.cgi?id=206957
https://bugs.webkit.org/show_bug.cgi?id=217758
https://bugzilla.mozilla.org/show_bug.cgi?id=1589074
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch none

Description davidvc-webkit 2020-11-13 09:43:57 PST 
There's a pending PR to the referrer policy spec (https://github.com/w3c/webappsec-referrer-policy/pull/142) which changes the default policy to strict-origin-when-cross-origin. This truncates requests' referrers to (at most) their origins on all cross-origin requests that do not explicitly set more permissive policies. As part of the standard process of landing a spec PR, I'm filing this umbrella feature request/tracking bug to keep track of (intentional and unintentional) differences between WebKit and the standardized behavior in these cases.
Comment 1 Radar WebKit Bug Importer 2020-11-16 18:26:36 PST 
<rdar://problem/71468395>
Comment 2 Kaustubha Govind 2020-11-30 07:26:25 PST 
FYI, https://github.com/w3c/webappsec-referrer-policy/pull/142 has now merged.
Comment 3 Sam Sneddon [:gsnedders] 2021-06-18 09:00:02 PDT 
The only significant difference I'm aware of is in http://wpt.live/referrer-policy/gen/top.http-rp/unset/a-tag.http.html, where WebKit w. ITP enabled sends the full referrer given it uses effectively an eTLD+1-based policy.
Comment 4 Sam Sneddon [:gsnedders] 2021-06-18 09:06:09 PDT 
I think all we need to do here is change our default referrer policy, and then we can drop the resource-load-statistics specific code, so let's just change the title to correspond to that.
Comment 5 Sam Sneddon [:gsnedders] 2021-06-18 09:13:11 PDT 
Ah, no, that's not true. Because unsafe-url and no-referrer-when-downgrade still need the same-site behaviour. Sorry for the noise!
Comment 6 John Wilander 2021-06-18 10:38:28 PDT 
Note that ITP downgrades referrers *regardless* of any site policy wanting a more leaky referrer. That is the intended behavior so it’s not just about default policy.
Comment 7 Sam Sneddon [:gsnedders] 2021-07-14 02:18:29 PDT 
Created attachment 433493 [details]
Patch
Comment 8 Chris Dumez 2021-07-14 08:18:00 PDT 
Comment on attachment 433493 [details]
Patch

r- due to missing tests rebaselines in this patch and EWS bubbles being red.
Comment 9 Sam Sneddon [:gsnedders] 2021-07-15 05:55:56 PDT 
Created attachment 433577 [details]
Patch
Comment 10 Sam Sneddon [:gsnedders] 2021-07-15 11:08:37 PDT 
Created attachment 433598 [details]
Patch
Comment 11 Sam Sneddon [:gsnedders] 2021-07-16 03:19:38 PDT 
Created attachment 433669 [details]
Patch
Comment 12 Chris Dumez 2021-07-19 09:03:11 PDT 
Comment on attachment 433669 [details]
Patch

r=me
Comment 13 EWS 2021-07-20 09:42:50 PDT 
Committed r280081 (239807@main): <https://commits.webkit.org/239807@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 433669 [details].