Issue 658761 link

Starred by 3 users

Issue metadata

Status:	Fixed
Owner:	est...@chromium.org
Closed:	Oct 2016
Components:	Blink>SecurityFeature
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Launch-OWP
Launch-Accessibility:	----
Launch-Exp-Leadership:	----
Launch-Leadership:	----
Launch-Legal:	----
Launch-M-Approved:	----
Launch-M-Target:	----
Launch-Privacy:	----
Launch-Security:	----
Launch-Test:	----
Launch-UI:	----
Rollout-Type:	----
OWP-Design-No M-56 OWP-Standards-OfficialSpec OWP-Type-Deprecation

Remove CSP 'referrer' directive

Project Member Reported by est...@chromium.org, Oct 24 2016

Issue description

Change description:
The CSP 'referrer' directive allows site owners to set a Referrer Policy (https://w3c.github.io/webappsec-referrer-policy/) for their page from an HTTP header. The 'referrer' directive has been removed from the spec and replaced with the Referrer-Policy header, thus we plan to remove support for the 'referrer' directive.

Changes to API surface:
CSP 'referrer' directive will no longer have any effect

Links:
Public standards discussion: https://github.com/w3c/webappsec-referrer-policy/pull/14

Support in other browsers:
Internet Explorer: no
Firefox: yes, but being deprecated (https://bugzilla.mozilla.org/show_bug.cgi?id=1302449)
Safari: no

Comment 1 by est...@chromium.org, Oct 25 2016

Components: Blink>SecurityFeature

Project Member

Comment 2 by bugdroid1@chromium.org, Oct 25 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0a9c07c90d40fb1f3c76e93451948343cc306911

commit 0a9c07c90d40fb1f3c76e93451948343cc306911
Author: estark <estark@chromium.org>
Date: Tue Oct 25 20:29:26 2016

Remove CSP referrer directive

Intent to Remove: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/JqUlPA-HFfU

BUG= 658761 

Review-Url: https://codereview.chromium.org/2445823002
Cr-Commit-Position: refs/heads/master@{#427454}

[modify] https://crrev.com/0a9c07c90d40fb1f3c76e93451948343cc306911/third_party/WebKit/LayoutTests/http/tests/fetch/referrer/no-referrer-document.html
[modify] https://crrev.com/0a9c07c90d40fb1f3c76e93451948343cc306911/third_party/WebKit/LayoutTests/http/tests/fetch/referrer/origin-only-document.html
[modify] https://crrev.com/0a9c07c90d40fb1f3c76e93451948343cc306911/third_party/WebKit/LayoutTests/http/tests/fetch/referrer/origin-when-cross-origin-document.html
[modify] https://crrev.com/0a9c07c90d40fb1f3c76e93451948343cc306911/third_party/WebKit/LayoutTests/http/tests/fetch/referrer/resources/empty-referrer-origin.html
[modify] https://crrev.com/0a9c07c90d40fb1f3c76e93451948343cc306911/third_party/WebKit/LayoutTests/http/tests/fetch/referrer/resources/origin-when-cross-origin-dedicated-worker-js.php
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-always-http-http-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-always-http-http.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-always-http-https-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-always-http-https.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-always-https-http-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-always-https-http.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-always-https-https-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-always-https-https.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-default-http-http-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-default-http-http.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-default-http-https-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-default-http-https.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-default-https-http-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-default-https-http.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-default-https-https-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-default-https-https.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-empty-http-http-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-empty-http-http.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-empty-http-https-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-empty-http-https.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-empty-https-http-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-empty-https-http.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-empty-https-https-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-empty-https-https.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-invalid-http-http-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-invalid-http-http.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-invalid-http-https-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-invalid-http-https.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-invalid-https-http-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-invalid-https-http.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-invalid-https-https-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-invalid-https-https.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-never-http-http-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-never-http-http.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-never-http-https-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-never-http-https.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-never-https-http-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-never-https-http.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-never-https-https-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-never-https-https.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-origin-http-http-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-origin-http-http.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-origin-http-https-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-origin-http-https.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-origin-https-http-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-origin-https-http.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-origin-https-https-expected.txt
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/referrer-origin-https-https.html
[delete] https://crrev.com/7ef6ef2681b0315a2e360ae51fe25d62f320c03f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/referrer-test.js
[modify] https://crrev.com/0a9c07c90d40fb1f3c76e93451948343cc306911/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker.php
[modify] https://crrev.com/0a9c07c90d40fb1f3c76e93451948343cc306911/third_party/WebKit/LayoutTests/http/tests/security/referrer-policy-worker-no-referrer.html
[rename] https://crrev.com/0a9c07c90d40fb1f3c76e93451948343cc306911/third_party/WebKit/LayoutTests/http/tests/security/referrerPolicyHeader/referrer-from-document-on-preload-expected.html
[rename] https://crrev.com/0a9c07c90d40fb1f3c76e93451948343cc306911/third_party/WebKit/LayoutTests/http/tests/security/referrerPolicyHeader/referrer-from-document-on-preload.php
[rename] https://crrev.com/0a9c07c90d40fb1f3c76e93451948343cc306911/third_party/WebKit/LayoutTests/http/tests/security/referrerPolicyHeader/referrer-policy-header-then-meta.php
[modify] https://crrev.com/0a9c07c90d40fb1f3c76e93451948343cc306911/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/0a9c07c90d40fb1f3c76e93451948343cc306911/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/0a9c07c90d40fb1f3c76e93451948343cc306911/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/0a9c07c90d40fb1f3c76e93451948343cc306911/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/0a9c07c90d40fb1f3c76e93451948343cc306911/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

Comment 3 by est...@chromium.org, Oct 25 2016

Status: Fixed (was: Assigned)

►

Issue 658761 link

Issue metadata

Remove CSP 'referrer' directive

Issue description

Comment 1 by est...@chromium.org, Oct 25 2016

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Oct 25 2016

Comment 2 Deleted

Comment 3 by est...@chromium.org, Oct 25 2016

Comment 3 Deleted

Sign in to add a comment