228324 – Investigate removing Referrer in all HTTPS -> HTTP cases

Bug 228324 - Investigate removing Referrer in all HTTPS -> HTTP cases

Summary: Investigate removing Referrer in all HTTPS -> HTTP cases

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Page Loading (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-07-27 08:03 PDT by Sam Sneddon [:gsnedders]
Modified:	2021-07-28 04:03 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam Sneddon [:gsnedders] 2021-07-27 08:03:41 PDT

While less useful in the short term due to SNI providing leakage of the cross-site origin anyway, once ECH has more support the only data available to a passive monitor is the IP address of the secure origin; as such, at that point, it would become a big shame to then be leaking it through the Referer header when navigating to an insecure origin.

This doesn't happen by default on ToT, given the Referrer-Policy default of strict-origin-when-cross-origin means we don't send a Referer in the HTTPS -> HTTP case anyway, but we should probably investigate making all the Referrer-Policy behave like this. (See Bug 228323, which is related insofar as it suggests overriding the policy in other ways.)

Comment 1 Radar WebKit Bug Importer 2021-07-28 04:03:24 PDT

<rdar://problem/81210169>