Issue metadata
Sign in to add a comment
|
Origin isn't sync with referrerpolicy
Reported by
mikkocar...@gmail.com,
May 24 2018
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36 Steps to reproduce the problem: 1. Visit http://cm2.pw/poc/chrome/origin 2. Notice the "Origin" header (and absence of Referer header) 3. View-source and observe the corresponding referrerpolicy which is to say not to include referrer at all What is the expected behavior? Since referrerpolicy is set not to send referrer at all, I assume it's expected not see any data about requesting origin at all. So, even when one expects not to reveal his/her site's identity, it gets leaked when making cross-origin requests. What went wrong? When referrerpolicy is set to "no-referrer", Origin shouldn't be sent (and similar behavior for other policies) Did this work before? N/A Chrome version: 66.0.3359.181 Channel: stable OS Version: Flash Version: This works in all browsers, including Tor
,
May 25 2018
Yes, this is working as intended. Referrer policy is only intended to govern the behavior of the Referer header, not any other headers like Origin. See https://lists.w3.org/Archives/Public/public-webappsec/2016Feb/0005.html If you'd like to discuss this further, please open an issue against the Referrer Policy spec: https://github.com/w3c/webappsec-referrer-policy
,
Sep 1
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by dominickn@chromium.org
, May 24 2018Components: Blink>SecurityFeature>Referrer
Labels: Security_Severity-Low Security_Impact-Stable
Owner: est...@chromium.org
Status: Assigned (was: Unconfirmed)