Bug 228323
| Summary: | [ITP] Investigate making cross-site Referrer stripping stricter, using origin instead | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Sam Sneddon [:gsnedders] <gsnedders> |
| Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | achristensen, beidson, webkit-bug-importer, wilander |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Sam Sneddon [:gsnedders]
Currently on ToT, with the Referrer-Policy default now strict-origin-when-cross-origin, the ITP cross-site referrer stripping only applies when a Referrer-Policy of unsafe-url or no-referrer-when-downgrade is set.
It would be worthwhile seeing if we can get away (compat wise) with making ITP stricter than the current cross-site restrictions; specifically, it would be nice to see if we could enforce this on origin boundaries as this would mean we could simply treat unsafe-url as origin-when-cross-origin and no-referrer-when-downgrade as strict-origin-when-cross-origin.
To me, this is aesthetically nicer, as our behaviour can then always be explained in terms of Referrer-Policy.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/81210147>