228323 – [ITP] Investigate making cross-site Referrer stripping stricter, using origin instead

NEW228323

[ITP] Investigate making cross-site Referrer stripping stricter, using origin instead

https://bugs.webkit.org/show_bug.cgi?id=228323

Summary [ITP] Investigate making cross-site Referrer stripping stricter, using origin...

Sam Sneddon [:gsnedders]

Reported 2021-07-27 06:50:36 PDT

Currently on ToT, with the Referrer-Policy default now strict-origin-when-cross-origin, the ITP cross-site referrer stripping only applies when a Referrer-Policy of unsafe-url or no-referrer-when-downgrade is set. It would be worthwhile seeing if we can get away (compat wise) with making ITP stricter than the current cross-site restrictions; specifically, it would be nice to see if we could enforce this on origin boundaries as this would mean we could simply treat unsafe-url as origin-when-cross-origin and no-referrer-when-downgrade as strict-origin-when-cross-origin. To me, this is aesthetically nicer, as our behaviour can then always be explained in terms of Referrer-Policy.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2021-07-28 04:02:54 PDT

<rdar://problem/81210147>

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Page Loading

Assignee

Nobody

Reported

2021-07-27 06:50 PDT

Modified

2021-07-28 04:02 PDT History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks