Bug 218909 - Change default referrer policy to strict-origin-when-cross-origin
Summary: Change default referrer policy to strict-origin-when-cross-origin
Alias: None
Product: WebKit
Classification: Unclassified
Component: Frames (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Sam Sneddon [:gsnedders]
Keywords: InRadar
Depends on:
Reported: 2020-11-13 09:43 PST by davidvc-webkit
Modified: 2021-07-20 09:42 PDT (History)
24 users (show)

See Also:

Patch (4.48 KB, patch)
2021-07-14 02:18 PDT, Sam Sneddon [:gsnedders]
no flags Details | Formatted Diff | Diff
Patch (48.71 KB, patch)
2021-07-15 05:55 PDT, Sam Sneddon [:gsnedders]
no flags Details | Formatted Diff | Diff
Patch (84.93 KB, patch)
2021-07-15 11:08 PDT, Sam Sneddon [:gsnedders]
no flags Details | Formatted Diff | Diff
Patch (86.45 KB, patch)
2021-07-16 03:19 PDT, Sam Sneddon [:gsnedders]
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description davidvc-webkit 2020-11-13 09:43:57 PST
There's a pending PR to the referrer policy spec (https://github.com/w3c/webappsec-referrer-policy/pull/142) which changes the default policy to strict-origin-when-cross-origin. This truncates requests' referrers to (at most) their origins on all cross-origin requests that do not explicitly set more permissive policies. As part of the standard process of landing a spec PR, I'm filing this umbrella feature request/tracking bug to keep track of (intentional and unintentional) differences between WebKit and the standardized behavior in these cases.
Comment 1 Radar WebKit Bug Importer 2020-11-16 18:26:36 PST
Comment 2 Kaustubha Govind 2020-11-30 07:26:25 PST
FYI, https://github.com/w3c/webappsec-referrer-policy/pull/142 has now merged.
Comment 3 Sam Sneddon [:gsnedders] 2021-06-18 09:00:02 PDT
The only significant difference I'm aware of is in http://wpt.live/referrer-policy/gen/top.http-rp/unset/a-tag.http.html, where WebKit w. ITP enabled sends the full referrer given it uses effectively an eTLD+1-based policy.
Comment 4 Sam Sneddon [:gsnedders] 2021-06-18 09:06:09 PDT
I think all we need to do here is change our default referrer policy, and then we can drop the resource-load-statistics specific code, so let's just change the title to correspond to that.
Comment 5 Sam Sneddon [:gsnedders] 2021-06-18 09:13:11 PDT
Ah, no, that's not true. Because unsafe-url and no-referrer-when-downgrade still need the same-site behaviour. Sorry for the noise!
Comment 6 John Wilander 2021-06-18 10:38:28 PDT
Note that ITP downgrades referrers *regardless* of any site policy wanting a more leaky referrer. That is the intended behavior so it’s not just about default policy.
Comment 7 Sam Sneddon [:gsnedders] 2021-07-14 02:18:29 PDT
Created attachment 433493 [details]
Comment 8 Chris Dumez 2021-07-14 08:18:00 PDT
Comment on attachment 433493 [details]

r- due to missing tests rebaselines in this patch and EWS bubbles being red.
Comment 9 Sam Sneddon [:gsnedders] 2021-07-15 05:55:56 PDT
Created attachment 433577 [details]
Comment 10 Sam Sneddon [:gsnedders] 2021-07-15 11:08:37 PDT
Created attachment 433598 [details]
Comment 11 Sam Sneddon [:gsnedders] 2021-07-16 03:19:38 PDT
Created attachment 433669 [details]
Comment 12 Chris Dumez 2021-07-19 09:03:11 PDT
Comment on attachment 433669 [details]

Comment 13 EWS 2021-07-20 09:42:50 PDT
Committed r280081 (239807@main): <https://commits.webkit.org/239807@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 433669 [details].