Closed Bug 1318477 Opened 9 years ago Closed 9 years ago

[observatory] define a Referrer policy for Phonebook

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Atoll, Assigned: Atoll)

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3756])

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy https://github.com/mozilla/http-observatory/issues/107 > +5 if the header is set with no-referrer, same-origin, strict-origin or strict-origin-when-cross-origin > 0 if the header is not implemented or its value is no-referrer-when-downgrade > -5 if the header is invalid, or is set with unsafe-url, origin or origin-when-cross-origin I recommend we use the "strict-origin-when-cross-origin" policy: - within the HTTPS Phonebook site, the Referer header will be maintained - when sent to other HTTPS sites, the Referer will be truncated to 'https://phonebook.mozilla.org' - when sent to any HTTP sites, the Referer will be blank. This will provide a +5 bonus to Phonebook, raising its score to 130/100.
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3756]
Probably this: > Referrer-Policy: no-referrer, strict-origin-when-cross-origin It's what I use for my own domain. It'll use the latter if supported, otherwise, no referrer will be sent.
What browser versions support Referrer-Policy: no-referrer but NOT strict-origin-when-cross-origin?
Chrome and Firefox. :)
Err, maybe just Chrome? Firefox is getting full support in... 52? Chrome has partial support, with full support eventually coming.
Okay. So, to use "no-referrer, strict-origin-when-cross-origin" we have to be comfortable stripping referrer for the vast majority of clients, or we have to drop "no-referrer" so that older clients behave normally and newer clients behave sensibly. I have a theory that our privacy team would be very interested in defining a policy around this particular websec header for *all* Mozilla properties to adhere to, where possible.
I decided that we'll use only "strict-origin-when-cross-origin" for now. It's not ideal that older clients will continue sending a Referer header, but as clients update over time to support it, they'll behave more securely. Deployed to phonebook dev/stage for testing.
Group: infra
"referrer-policy": { "data": "strict-origin-when-cross-origin", "expectation": "referrer-policy-private", "pass": true, "result": "referrer-policy-private", "score_description": "Referrer-Policy header set to \"no-referrer\", \"same-origin\", \"strict-origin\" or \"strict-origin-when-cross-origin\"", "score_modifier": 5 }, +5 bonus observed on dev. The header has no apparent effect due to browser implementations WIP, but at least it's there when they are.
Full phonebook-dev report: Score: 130 [A+] Modifiers: Content Security Policy [+10] Content Security Policy (CSP) implemented with default-src 'none' and no 'unsafe' Contribute [ 0] Contribute.json implemented with the required contact information Cookies [ 0] All cookies use the Secure flag and all session cookies use the HttpOnly flag Cross Origin Resource Sharing [ 0] Content is not visible via cross-origin resource sharing (CORS) files or headers Public Key Pinning [ +5] HTTP Public Key Pinning (HPKP) header set to a minimum of 15 days (1296000) Redirection [ 0] Initial redirection is to https on same host, final destination is https Referrer Policy [ +5] Referrer-Policy header set to "no-referrer", "same-origin", "strict-origin" or "strict-origin-when-cross-origin" Strict Transport Security [ 0] HTTP Strict Transport Security (HSTS) header set to a minimum of six months (15768000) Subresource Integrity [ +5] Subresource Integrity (SRI) is implemented and all scripts are loaded from a similar origin X Content Type Options [ 0] X-Content-Type-Options header set to "nosniff" X Frame Options [ +5] X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive X Xss Protection [ 0] X-XSS-Protection header set to "1; mode=block"
Assignee: server-ops-webops → rsoderberg
(In reply to Richard Soderberg [:atoll] from comment #5) > Okay. So, to use "no-referrer, strict-origin-when-cross-origin" we have to > be comfortable stripping referrer for the vast majority of clients, or we > have to drop "no-referrer" so that older clients behave normally and newer > clients behave sensibly. This was selected as the final policy, because we're currently leaking search keywords in referrer headers to third-party sites. Fixing that *only* in Firefox isn't sufficient, so we'll strip referrer unless they have the more secure model available. Updating policy in dev and testing.
Prod will be CHG0011417 when it goes out.
Deployed prod and verified expected behavior per comment 9.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Phonebook prod, post-SSO, now 130 (up 5): $ httpobs-local-scan --cookies "$(cat mellon)" --format report phonebook.mozilla.org Score: 130 [A+] Modifiers: Content Security Policy [+10] Content Security Policy (CSP) implemented with default-src 'none' and no 'unsafe' Contribute [ 0] Contribute.json implemented with the required contact information Cookies [ 0] All cookies use the Secure flag and all session cookies use the HttpOnly flag Cross Origin Resource Sharing [ 0] Content is not visible via cross-origin resource sharing (CORS) files or headers Public Key Pinning [ +5] HTTP Public Key Pinning (HPKP) header set to a minimum of 15 days (1296000) Redirection [ 0] Initial redirection is to https on same host, final destination is https Referrer Policy [ +5] Referrer-Policy header set to "no-referrer", "same-origin", "strict-origin" or "strict-origin-when-cross-origin" Strict Transport Security [ 0] HTTP Strict Transport Security (HSTS) header set to a minimum of six months (15768000) Subresource Integrity [ +5] Subresource Integrity (SRI) is implemented and all scripts are loaded from a similar origin X Content Type Options [ 0] X-Content-Type-Options header set to "nosniff" X Frame Options [ +5] X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive X Xss Protection [ 0] X-XSS-Protection header set to "1; mode=block"
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.