Origin header should honor ReferrerPolicy
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox69 | --- | fixed |
People
(Reporter: CuveeHsu, Assigned: CuveeHsu)
References
Details
(Whiteboard: [domsecurity-backlog2])
Attachments
(3 files)
Comment 1•6 years ago
|
||
Assignee | ||
Comment 2•6 years ago
|
||
Comment 3•6 years ago
|
||
Assignee | ||
Comment 4•6 years ago
|
||
Comment 5•6 years ago
|
||
Comment 6•6 years ago
|
||
Comment 7•6 years ago
|
||
Assignee | ||
Comment 8•6 years ago
|
||
Assignee | ||
Updated•6 years ago
|
Comment 9•6 years ago
|
||
Updated•6 years ago
|
Assignee | ||
Comment 11•6 years ago
|
||
Assignee | ||
Comment 12•6 years ago
|
||
(In reply to Junior [:junior] from comment #11)
After discussion, we want to restrict the Origin: and not to expose
information more than Referer:The plan is:
(a) don't expose CORS with Origin: (i.e. network.http.sendOriginHeader = 1)
From the view of the spec. 4.4.5.10, we need to add Origin: if CORS flag is set [1]
This might leads changes [2]
[1] https://fetch.spec.whatwg.org/#http-network-or-cache-fetch
[2] https://github.com/whatwg/fetch/issues/871
Assignee | ||
Comment 13•6 years ago
|
||
Test is ready.
https://github.com/web-platform-tests/wpt/pull/15937
Assignee | ||
Comment 14•5 years ago
|
||
Spec work
https://github.com/whatwg/fetch/pull/908
Assignee | ||
Comment 15•5 years ago
|
||
Assignee | ||
Comment 16•5 years ago
|
||
Assignee | ||
Comment 17•5 years ago
|
||
(In reply to Junior [:junior] from comment #13)
Test is ready.
https://github.com/web-platform-tests/wpt/pull/15937
Test-fix patch
https://github.com/web-platform-tests/wpt/pull/17280
Assignee | ||
Comment 18•5 years ago
|
||
Origin: honors ReferrerPolicy: so we should honor defaultPolicy set by user
Assignee | ||
Comment 19•5 years ago
|
||
Comment 20•5 years ago
|
||
Assignee | ||
Comment 21•5 years ago
|
||
Should have landed the whole stack in one shot.
Comment 22•5 years ago
|
||
Comment 23•5 years ago
|
||
Comment 24•5 years ago
|
||
Assignee | ||
Comment 25•5 years ago
|
||
Please land the three patches in one shot. Thanks.
Comment 26•5 years ago
|
||
Pushed by dluca@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7ca62c730aa4
P1 refactor ReferrerInfo for reuse referrer-policy algorithm r=tnguyen
https://hg.mozilla.org/integration/autoland/rev/2c610261152d
P2 Let Origin: honor ReferrerPolicy for non-CORS r=tnguyen,valentin
https://hg.mozilla.org/integration/autoland/rev/601362e2871d
P3 fix test r=tnguyen
Comment 27•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/7ca62c730aa4
https://hg.mozilla.org/mozilla-central/rev/2c610261152d
https://hg.mozilla.org/mozilla-central/rev/601362e2871d
Updated•5 years ago
|
Description
•