RESOLVED FIXED Bug 218909
Change default referrer policy to strict-origin-when-cross-origin 
https://bugs.webkit.org/show_bug.cgi?id=218909
Summary Change default referrer policy to strict-origin-when-cross-origin
davidvc-webkit
Reported 2020-11-13 09:43:57 PST
There's a pending PR to the referrer policy spec (https://github.com/w3c/webappsec-referrer-policy/pull/142) which changes the default policy to strict-origin-when-cross-origin. This truncates requests' referrers to (at most) their origins on all cross-origin requests that do not explicitly set more permissive policies. As part of the standard process of landing a spec PR, I'm filing this umbrella feature request/tracking bug to keep track of (intentional and unintentional) differences between WebKit and the standardized behavior in these cases.
Attachments
Patch (4.48 KB, patch)
2021-07-14 02:18 PDT, Sam Sneddon [:gsnedders] 		no flags
DetailsFormatted DiffDiff
Patch (48.71 KB, patch)
2021-07-15 05:55 PDT, Sam Sneddon [:gsnedders] 		no flags
DetailsFormatted DiffDiff
Patch (84.93 KB, patch)
2021-07-15 11:08 PDT, Sam Sneddon [:gsnedders] 		no flags
DetailsFormatted DiffDiff
Patch (86.45 KB, patch)
2021-07-16 03:19 PDT, Sam Sneddon [:gsnedders] 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-11-16 18:26:36 PST
<rdar://problem/71468395>
Kaustubha Govind
Comment 2 2020-11-30 07:26:25 PST
FYI, https://github.com/w3c/webappsec-referrer-policy/pull/142 has now merged.
Sam Sneddon [:gsnedders]
Comment 3 2021-06-18 09:00:02 PDT
The only significant difference I'm aware of is in http://wpt.live/referrer-policy/gen/top.http-rp/unset/a-tag.http.html, where WebKit w. ITP enabled sends the full referrer given it uses effectively an eTLD+1-based policy.
Sam Sneddon [:gsnedders]
Comment 4 2021-06-18 09:06:09 PDT
I think all we need to do here is change our default referrer policy, and then we can drop the resource-load-statistics specific code, so let's just change the title to correspond to that.
Sam Sneddon [:gsnedders]
Comment 5 2021-06-18 09:13:11 PDT
Ah, no, that's not true. Because unsafe-url and no-referrer-when-downgrade still need the same-site behaviour. Sorry for the noise!
John Wilander
Comment 6 2021-06-18 10:38:28 PDT
Note that ITP downgrades referrers *regardless* of any site policy wanting a more leaky referrer. That is the intended behavior so it’s not just about default policy.
Sam Sneddon [:gsnedders]
Comment 7 2021-07-14 02:18:29 PDT
Created attachment 433493 [details] Patch
Chris Dumez
Comment 8 2021-07-14 08:18:00 PDT
Comment on attachment 433493 [details] Patch r- due to missing tests rebaselines in this patch and EWS bubbles being red.
Sam Sneddon [:gsnedders]
Comment 9 2021-07-15 05:55:56 PDT
Created attachment 433577 [details] Patch
Sam Sneddon [:gsnedders]
Comment 10 2021-07-15 11:08:37 PDT
Created attachment 433598 [details] Patch
Sam Sneddon [:gsnedders]
Comment 11 2021-07-16 03:19:38 PDT
Created attachment 433669 [details] Patch
Chris Dumez
Comment 12 2021-07-19 09:03:11 PDT
Comment on attachment 433669 [details] Patch r=me
EWS
Comment 13 2021-07-20 09:42:50 PDT
Committed r280081 (239807@main): <https://commits.webkit.org/239807@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 433669 [details].
Note You need to log in before you can comment on or make changes to this bug.