Closed Bug 1185019 Opened 10 years ago Closed 8 years ago

How to handle referer on cross-origin requests with redirection to same-origin

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1264792

People

(Reporter: franziskus, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

Performing a same-origin request after a redirect that pointed at a different origin is treated as same-origin request. Consider the following scenario: * a.com has a link to b.com/test * b.com/test redirects to a.com/test The request that actually retrieves the page is a same-origin request, however the question arises whether this should be the case. This gets important for example in the case of a origin-when-cross-origin referrer policy. The current behaviour of Firefox is that origin is sent to b.com/test, but the full referrer is sent to a.com/test. It was argued [2][3] that this is not the desired behaviour (Chrome hence sends only origin to a.com/test). However according to [1] I think the full referrer should be sent. [1] http://www.w3.org/html/wg/drafts/html/master/browsers.html#origin [2] https://lists.w3.org/Archives/Public/public-webappsec/2015May/0140.html [3] https://code.google.com/p/chromium/issues/detail?id=492615
Summary: How to handle cross-origin requests with redirection to same-origin → How to handle referer on cross-origin requests with redirection to same-origin
Whiteboard: [domsecurity-backlog]
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.