Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 627968 Implement new referrer-policy states
Starred by 52 users Project Member Reported by est...@chromium.org, Jul 13 2016 Back to list
Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Feature

Restricted
  • Only users with EditIssue permission may comment.


Show other hotlists

Hotlists containing this issue:
Hotlist-1


Sign in to add a comment
Cc: est...@chromium.org
 Issue 613737  has been merged into this issue.
Hey Emily, 

I've added support for RP to Security Headers[1] now and naturally it'd be great to see the new states added to Chrome now that RP has reached W3C CR status. Any ETA on this?

Thanks!

[1] https://schd.io/1 
Just since this has been open for quite a while, without much (or any?) activity, I'd just like to add another comment in support of this being implemented too.

I maintain a headers focused PHP library[1] in-which an upcoming version will include `Referrer-Policy: strict-origin-when-cross-origin` among its default header set.

Unfortunately due to this bug/issue, the `no-referrer` version of this header also must be included as a fallback (which obviously has its usability disadvantages), but remains the only value to offer at least the same security and privacy features, that is also supported by Chrome.

This just to say it would be great to see Chrome support RP (in-full) so that we can all start taking advantage of it!

[1]: https://github.com/aidantwoods/SecureHeaders/issues/19
Issue 710039 has been merged into this issue.
Cc: mkwst@chromium.org
 Issue 711898  has been merged into this issue.
Components: -Blink>SecurityFeature Blink>SecurityFeature>Referrer
Labels: -Pri-3 M-60 Pri-2
Issue 723917 has been merged into this issue.
Another reason for implementation: https://observatory.mozilla.org/analyze.html?host=google.com

Mozilla's Observatory (a popular tool for evaluating sites web security defaults) recommends options that won't work on Chrome.

A reason to delay implementation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy, no one besides firefox implements this header fully.
> A reason to delay implementation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy, no one besides firefox implements this header fully.

How can this be a valid reason not to conform to established standard?
Sorry, was meant a little tongue and cheek. 
If we're looking for reasons to implement, I also advise settings that Chrome currently doesn't support on Security Headers:

https://securityheaders.io/?q=https%3A%2F%2Fscotthelme.co.uk%2F&followRedirects=on 
It is also a official recommendation of the W3c https://www.w3.org/blog/news/archives/6087?pk_campaign=feed&pk_kwd=w3c-invites-implementations-of-referrer-policy

"The Web Application Security Working Group invites implementations of the Candidate Recommendation of Referrer Policy. This specification describes how Web authors can set a referrer policy for documents they create, and describes the impact on the Referer HTTP header for outgoing requests and navigations."

Another reason: as far as I can see in my CSP monitorings and log analysis, very sensitive informations can be provided via referrer. As responsible developers, we have to ask ourselves about this referrer question for the users, that might not know this mechanism.

I always take this example to explain the interest of Referer Policy: just imagine somebody putting a link to their company website on a forum dedicated to the help between people that had a cancer. The forum should be able to help protecting its users privacy from this potential issue.

And nobody want Chrome to be too late on this, right ? :)
Labels: Restrict-AddIssueComment-EditIssue
c'mon, please cut us some slack. We wrote the spec, and implemented all but two policies years before anybody else. We'll eventually add the last two ones.

It's also not a recommendation, please do your homework before accusing others of ignoring an established standard.

Feel free to star the bug to follow development.
Project Member Comment 14 by bugdroid1@chromium.org, Jun 13
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4

commit c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4
Author: estark <estark@chromium.org>
Date: Tue Jun 13 22:37:40 2017

Implement new referrer policies

This CL implements the policies 'same-origin' and 'strict-origin', and
repurposes existing logic that was previously only available behind a flag for
'strict-origin-when-cross-origin'. (I've left it as a TODO for a follow-up
to rename this policy to match the spec.)

Existing web platform tests cover the new policies and should now pass.

Intent to Implement and Ship:
https://groups.google.com/a/chromium.org/d/msg/blink-dev/TgtPUowSWuU/Y-Sn2oRsCAAJ

BUG=627968

Review-Url: https://codereview.chromium.org/2918313002
Cr-Commit-Position: refs/heads/master@{#479182}

[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/chrome/browser/referrer_policy_browsertest.cc
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/components/sessions/ios/ios_serialized_navigation_driver.cc
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/content/browser/devtools/protocol/network_handler.cc
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/content/child/web_url_loader_impl.cc
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/content/public/common/referrer.cc
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/ios/web/public/referrer.h
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/ios/web/public/referrer_util.cc
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/ios/web/public/referrer_util_unittest.cc
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/net/url_request/url_request.cc
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/net/url_request/url_request.h
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/net/url_request/url_request_job.cc
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/net/url_request/url_request_job.h
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/net/url_request/url_request_job_unittest.cc
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/net/url_request/url_request_unittest.cc
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/LayoutTests/TestExpectations
[delete] https://crrev.com/98258cced1d9ed158af9e98706225119b6765e2d/third_party/WebKit/LayoutTests/external/wpt/beacon/headers/header-referrer-same-origin-expected.txt
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/LayoutTests/external/wpt/beacon/headers/header-referrer-strict-origin-when-cross-origin.https-expected.txt
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/LayoutTests/external/wpt/beacon/headers/header-referrer-strict-origin.https-expected.txt
[delete] https://crrev.com/98258cced1d9ed158af9e98706225119b6765e2d/third_party/WebKit/LayoutTests/external/wpt/fetch/api/redirect/redirect-referrer-expected.txt
[delete] https://crrev.com/98258cced1d9ed158af9e98706225119b6765e2d/third_party/WebKit/LayoutTests/external/wpt/fetch/api/redirect/redirect-referrer-worker-expected.txt
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/LayoutTests/external/wpt/fetch/api/request/request-init-001.sub-expected.txt
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/LayoutTests/http/tests/security/referrer-policy-invalid-expected.txt
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/Source/core/dom/DocumentTest.cpp
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/Source/core/dom/ExecutionContext.cpp
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/Source/core/html/parser/HTMLPreloadScannerTest.cpp
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/Source/core/inspector/InspectorNetworkAgent.cpp
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/Source/core/inspector/browser_protocol.json
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/Source/core/loader/LinkLoaderTest.cpp
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/Source/modules/fetch/Request.cpp
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/Source/modules/fetch/RequestInit.cpp
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/Source/platform/weborigin/ReferrerPolicy.h
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/Source/platform/weborigin/SecurityPolicy.cpp
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/Source/platform/weborigin/SecurityPolicyTest.cpp
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/Source/web/AssertMatchingEnums.cpp
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/public/platform/OWNERS
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/public/platform/ReferrerPolicyEnumTraits.h
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/public/platform/WebReferrerPolicy.h
[modify] https://crrev.com/c8ccba8b415fa20f5ded85c58a100cfb3cdda4c4/third_party/WebKit/public/platform/referrer.mojom

Sign in to add a comment