Bug 218909 - Change default referrer policy to strict-origin-when-cross-origin
Summary: Change default referrer policy to strict-origin-when-cross-origin
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Frames (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Sam Sneddon [:gsnedders]
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-11-13 09:43 PST by davidvc-webkit
Modified: 2021-07-20 09:42 PDT (History)
24 users (show)

See Also:

Attachments
Patch (4.48 KB, patch)
2021-07-14 02:18 PDT, Sam Sneddon [:gsnedders] 		no flags Details | Formatted Diff | Diff
Patch (48.71 KB, patch)
2021-07-15 05:55 PDT, Sam Sneddon [:gsnedders] 		no flags Details | Formatted Diff | Diff
Patch (84.93 KB, patch)
2021-07-15 11:08 PDT, Sam Sneddon [:gsnedders] 		no flags Details | Formatted Diff | Diff
Patch (86.45 KB, patch)
2021-07-16 03:19 PDT, Sam Sneddon [:gsnedders] 		no flags Details | Formatted Diff | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description davidvc-webkit 2020-11-13 09:43:57 PST 
There's a pending PR to the referrer policy spec (https://github.com/w3c/webappsec-referrer-policy/pull/142) which changes the default policy to strict-origin-when-cross-origin. This truncates requests' referrers to (at most) their origins on all cross-origin requests that do not explicitly set more permissive policies. As part of the standard process of landing a spec PR, I'm filing this umbrella feature request/tracking bug to keep track of (intentional and unintentional) differences between WebKit and the standardized behavior in these cases.
Comment 1 Radar WebKit Bug Importer 2020-11-16 18:26:36 PST 
<rdar://problem/71468395>
Comment 2 Kaustubha Govind 2020-11-30 07:26:25 PST 
FYI, https://github.com/w3c/webappsec-referrer-policy/pull/142 has now merged.
Comment 3 Sam Sneddon [:gsnedders] 2021-06-18 09:00:02 PDT 
The only significant difference I'm aware of is in http://wpt.live/referrer-policy/gen/top.http-rp/unset/a-tag.http.html, where WebKit w. ITP enabled sends the full referrer given it uses effectively an eTLD+1-based policy.
Comment 4 Sam Sneddon [:gsnedders] 2021-06-18 09:06:09 PDT 
I think all we need to do here is change our default referrer policy, and then we can drop the resource-load-statistics specific code, so let's just change the title to correspond to that.
Comment 5 Sam Sneddon [:gsnedders] 2021-06-18 09:13:11 PDT 
Ah, no, that's not true. Because unsafe-url and no-referrer-when-downgrade still need the same-site behaviour. Sorry for the noise!
Comment 6 John Wilander 2021-06-18 10:38:28 PDT 
Note that ITP downgrades referrers *regardless* of any site policy wanting a more leaky referrer. That is the intended behavior so it’s not just about default policy.
Comment 7 Sam Sneddon [:gsnedders] 2021-07-14 02:18:29 PDT 
Created attachment 433493 [details]
Patch
Comment 8 Chris Dumez 2021-07-14 08:18:00 PDT 
Comment on attachment 433493 [details]
Patch

r- due to missing tests rebaselines in this patch and EWS bubbles being red.
Comment 9 Sam Sneddon [:gsnedders] 2021-07-15 05:55:56 PDT 
Created attachment 433577 [details]
Patch
Comment 10 Sam Sneddon [:gsnedders] 2021-07-15 11:08:37 PDT 
Created attachment 433598 [details]
Patch
Comment 11 Sam Sneddon [:gsnedders] 2021-07-16 03:19:38 PDT 
Created attachment 433669 [details]
Patch
Comment 12 Chris Dumez 2021-07-19 09:03:11 PDT 
Comment on attachment 433669 [details]
Patch

r=me
Comment 13 EWS 2021-07-20 09:42:50 PDT 
Committed r280081 (239807@main): <https://commits.webkit.org/239807@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 433669 [details].