228323 – [ITP] Investigate making cross-site Referrer stripping stricter, using origin instead

Bug 228323 - [ITP] Investigate making cross-site Referrer stripping stricter, using origin instead

Summary: [ITP] Investigate making cross-site Referrer stripping stricter, using origin...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Page Loading (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-07-27 06:50 PDT by Sam Sneddon [:gsnedders]
Modified:	2021-07-28 04:02 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam Sneddon [:gsnedders] 2021-07-27 06:50:36 PDT

Currently on ToT, with the Referrer-Policy default now strict-origin-when-cross-origin, the ITP cross-site referrer stripping only applies when a Referrer-Policy of unsafe-url or no-referrer-when-downgrade is set.

It would be worthwhile seeing if we can get away (compat wise) with making ITP stricter than the current cross-site restrictions; specifically, it would be nice to see if we could enforce this on origin boundaries as this would mean we could simply treat unsafe-url as origin-when-cross-origin and no-referrer-when-downgrade as strict-origin-when-cross-origin.

To me, this is aesthetically nicer, as our behaviour can then always be explained in terms of Referrer-Policy.

Comment 1 Radar WebKit Bug Importer 2021-07-28 04:02:54 PDT

<rdar://problem/81210147>