228324 – Investigate removing Referrer in all HTTPS -> HTTP cases

NEW 228324

Investigate removing Referrer in all HTTPS -> HTTP cases

https://bugs.webkit.org/show_bug.cgi?id=228324

Summary Investigate removing Referrer in all HTTPS -> HTTP cases

Sam Sneddon [:gsnedders]

Reported 2021-07-27 08:03:41 PDT

While less useful in the short term due to SNI providing leakage of the cross-site origin anyway, once ECH has more support the only data available to a passive monitor is the IP address of the secure origin; as such, at that point, it would become a big shame to then be leaking it through the Referer header when navigating to an insecure origin. This doesn't happen by default on ToT, given the Referrer-Policy default of strict-origin-when-cross-origin means we don't send a Referer in the HTTPS -> HTTP case anyway, but we should probably investigate making all the Referrer-Policy behave like this. (See Bug 228323, which is related insofar as it suggests overriding the policy in other ways.)

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2021-07-28 04:03:24 PDT

<rdar://problem/81210169>

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Page Loading

Assignee

Nobody

Reported

2021-07-27 08:03 PDT

Modified

2021-07-28 04:03 PDT History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks