1589074 - Set referrer policy default to strict-origin-when-cross-origin

Status: RESOLVED FIXED

(Core :: DOM: Security, enhancement, P2)

Description

[Thomas Nguyen (:tnguyen)]

https://github.com/w3c/webappsec-referrer-policy/pull/125

And Google planned to ship that, I think it's worth shipping it to in Firefox. But maybe we can wait until successfully shipping in Chrome

Comment 1

[Frederik Braun [:freddy]]

FYI: We already set this strict-origin-when-cross-origin for known trackers in Nightly according to bug 1533763.

Comment 3

[(no longer active)]

(In reply to Frederik Braun [:freddyb] from comment #1)

FYI: We already set this strict-origin-when-cross-origin for known trackers in Nightly according to bug 1533763.

Yes, but much more broadly, we've been shipping strict-origin-when-cross-origin as the default referrer policy for private browsing mode for several years now.

Comment 5

[Thomas Nguyen (:tnguyen)]

Attachment: Bug 1589074 - Set referrer policy default to strict-origin-when-cross-origin

Comment 6

[(no longer active)]

It is probably a good idea to measure the amount of unsafe-url usage using a long-term telemetry probe to make sure websites aren't reverting to using that en masse in response to this change.

Comment 7

[Anne (:annevk)]

We could try to ship https://github.com/w3c/webappsec-referrer-policy/pull/124 at the same time.

Comment 8

[(no longer active)]

(In reply to Anne (:annevk) from comment #7)

We could try to ship https://github.com/w3c/webappsec-referrer-policy/pull/124 at the same time.

Interesting idea!

Comment 9

[Christoph Kerschbaumer [:ckerschb]]

Anne, I think this one would be good to get out the door, right? Or can it remain in the backlog for now?

Comment 10

[Anne (:annevk)]

Yeah, it would be good to do this (together with unsafe-url -> no-referrer-when-downgrade).

Comment 11

[Darkspirit]

https://twitter.com/ericlaw/status/1238493872352886791

Comment 12

[Chris Peterson [:cpeterson]]

Chrome Intent to Ship: New referrer policy default of strict-origin-when-cross-origin

https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/lqFuqwZDDR8/m/nKPRTc7DAQAJ

Comment 13

[j.j.]

Bug 970136 seems a duplicate

Comment 14

[Dimi Lee [ooo 16.04 - 21.04］]

Attachment: Bug 1589074 - Set referrer policy default to strict-origin-when-cross-origin. r=ckerschb

Comment 15

[Dimi Lee [ooo 16.04 - 21.04］]

Attachment: Bug 1589074 - Fix anti-tracking mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=baku

Depends on D88547

Comment 16

[Dimi Lee [ooo 16.04 - 21.04］]

Attachment: Bug 1589074 - Fix network mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=kershaw

Depends on D88548

Comment 17

[Dimi Lee [ooo 16.04 - 21.04］]

Attachment: Bug 1589074 - Fix worker mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=baku

Depends on D88549

Comment 18

[Dimi Lee [ooo 16.04 - 21.04］]

Attachment: Bug 1589074 - Fix devtools mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=nchevobbe

Depends on D88550

Comment 19

[Dimi Lee [ooo 16.04 - 21.04］]

Attachment: Bug 1589074 - Fix dom mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=ckerschb

Depends on D88551

Comment 20

[Dimi Lee [ooo 16.04 - 21.04］]

Attachment: Bug 1589074 - Fix sessionrestore mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=mconley

Depends on D88552

Comment 21

[Dimi Lee [ooo 16.04 - 21.04］]

Attachment: Bug 1589074 - Fix geckoview test failures after changing default referrer policy to strict-origin-when-cross-origin. r=snorp

Depends on D88553

Comment 22

[Dimi Lee [ooo 16.04 - 21.04］]

Attachment: Bug 1589074 - Update wpt tests that are expected success after changing default referrer policy to strict-origin-when-cross-origin. r=ckerschb

Depends on D88554

Comment 23

[Dimi Lee [ooo 16.04 - 21.04］]

Attachment: Bug 1589074 - Update wpt test to comply with the new default referrer policy (strict-origin-when-cross-origin). r=ckerschb,annevk

Depends on D88555

Comment 24

[Dimi Lee [ooo 16.04 - 21.04］]

Attachment: Bug 1589074 - Update wpt referrer spec.src.json to comply with the new default referrer policy (strict-origin-when-cross-origin). r=ckerschb,annevk

Depends on D88556

Comment 25

[Anne (:annevk)]

Chrome shipped this so we could follow, I think. WPT has also been updated.

Comment 26

[Dimi Lee [ooo 16.04 - 21.04］]

(In reply to Anne (:annevk) from comment #25)

Chrome shipped this so we could follow, I think. WPT has also been updated.

Thank you for the information. I'll update the patch and make sure we pass all those testcases.

Comment 27

[Dimi Lee [ooo 16.04 - 21.04］]

Attachment: Bug 1589074 - Revert referrer related changes made in Bug 1678042 to pass wpt failures. r=ckerschb

We now changes the default referrer policy to strict-origin-when-cross-origin to follow the spec.
This patch reverts the changes made related to referrer policy in Bug 1678042 (bypassing referrer failures after syncing latest wpt tests).

Depends on D88555

Comment 28

[Dimi Lee [ooo 16.04 - 21.04］]

Attachment: Bug 1589074 - Fix docshell mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=smaug

Depends on D98435

Comment 29

[Dimi Lee [ooo 16.04 - 21.04］]

Hi Anne, Christoph and Steven
The current plan is to land this change in 86 cycle, but there are two questions I would like to check with you before landing this:

• Do we want to implement Comment 7 (make'unsafe-url' an alias for 'no-referrer-when-downgrade') along with the default policy change?
• Do we also want to allow websites to override the default with a looser policy, or we prefer still allowing it at this moment and maybe add a telemetry to see how often sites will change it in the future?
  Thanks for your help!

Comment 30

[Anne (:annevk)]

That's great to hear Dimi. To address your questions in order:

1. I think we should not touch unsafe-url for now as I don't think Chrome has either, but I pinged the PR to see if there are things we might be missing there. (Note that your link has an additional 0 at the end that causes it to 404.)
2. I think for now we want to allow websites to override this, similar to Chrome, but longer term we should indeed be thinking about clamping that down. Telemetry and analysis of websites would definitely help. The risk with further clamping down is that websites will still leak this state via other means that might be harder to catch so we need to carefully think through that tradeoff as well.

Comment 31

[Steven Englehardt [:englehardt]]

I suspect you meant to ping me Dimi. Anne's comment makes sense to me.

Comment 32

[Dimi Lee [ooo 16.04 - 21.04］]

Hi Anne, Steven,
The original plan was to land this patch in the early 86 cycle, but after discussing with christoph, we both agree that landing the change right before Christmas may not be a good idea. We prefer changing the plan to land it in the early of 87 (25. Jan), so we will have time to react to breakages, if any. But we are also fine to land it when the holiday is over (3.Jan) if 87 is too late. Please let me know if you have any thoughts on this.

Comment 33

[Anne (:annevk)]

Seems fine, we're not a in rush. (I'll also clear Steven's needinfo since I very much doubt he'd disagree.)

Comment 34

[Pulsebot]

Pushed by dlee@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/454beae0f635
Set referrer policy default to strict-origin-when-cross-origin. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/f093f3c48807
Fix anti-tracking mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=timhuang
https://hg.mozilla.org/integration/autoland/rev/712f147c5a41
Fix network mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=kershaw,necko-reviewers
https://hg.mozilla.org/integration/autoland/rev/78df7f0ccb31
Fix worker mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=baku
https://hg.mozilla.org/integration/autoland/rev/e8e6d9a6b90d
Fix devtools mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=nchevobbe
https://hg.mozilla.org/integration/autoland/rev/9fe67741eb5a
Fix dom mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/3cffd4570c8e
Fix sessionrestore mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=mconley
https://hg.mozilla.org/integration/autoland/rev/da996dc79d5d
Fix geckoview test failures after changing default referrer policy to strict-origin-when-cross-origin. r=geckoview-reviewers,agi
https://hg.mozilla.org/integration/autoland/rev/b7a0d73a2885
Update wpt tests that are expected success after changing default referrer policy to strict-origin-when-cross-origin. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/a306f2483d73
Revert referrer related changes made in Bug 1678042 to pass wpt failures. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/10e37ec238ee
Fix docshell mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=smaug

Comment 35

[Atila Butkovits]

Backed out for causing failures on test_DownloadCore.js.

Backout link: https://hg.mozilla.org/integration/autoland/rev/ba10dda56e5e54b6d644e2dac1e41ca926d30e84

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&revision=10e37ec238eeb082fd4a8a09fa5a4eb0d7de0e92&searchStr=windows%2C10%2Cx64%2Copt%2Cxpcshell%2Ctests%2Ctest-windows10-64%2Fopt-xpcshell-e10s%2Cx1&selectedTaskRun=Vcktea2YR0iMjF47ZYSADQ.0

Failure log: https://treeherder.mozilla.org/logviewer?job_id=327688109&repo=autoland&lineNumber=7162

Comment 36

[Dimi Lee [ooo 16.04 - 21.04］]

Attachment: Bug 1589074 - Fix download xpcshell-test failures after changing default referrer policy to strict-origin-when-cross-origin r=ckerschb

Comment 37

[Pulsebot]

Pushed by dlee@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/414252d2e46c
Set referrer policy default to strict-origin-when-cross-origin. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/4d7a026e765e
Fix anti-tracking mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=timhuang
https://hg.mozilla.org/integration/autoland/rev/695ee14cd948
Fix network mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=kershaw,necko-reviewers
https://hg.mozilla.org/integration/autoland/rev/9831c19f47b9
Fix worker mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=baku
https://hg.mozilla.org/integration/autoland/rev/c1b832f3ce06
Fix devtools mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=nchevobbe
https://hg.mozilla.org/integration/autoland/rev/dd516f0ffc30
Fix dom mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/be5da5f62651
Fix sessionrestore mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=mconley
https://hg.mozilla.org/integration/autoland/rev/c0d300b33c6b
Fix geckoview test failures after changing default referrer policy to strict-origin-when-cross-origin. r=geckoview-reviewers,agi
https://hg.mozilla.org/integration/autoland/rev/87753b6ce36f
Update wpt tests that are expected success after changing default referrer policy to strict-origin-when-cross-origin. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/05c83764972e
Revert referrer related changes made in Bug 1678042 to pass wpt failures. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/cbe882c7bff5
Fix docshell mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=smaug
https://hg.mozilla.org/integration/autoland/rev/0b948812b858
Fix download xpcshell-test failures after changing default referrer policy to strict-origin-when-cross-origin r=ckerschb

Comment 38

[Pulsebot]

Backout by apavel@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/17f61493037d
Backed out 11 changesets for causing failures on test_DownloadCore.js.

Comment 39

[Pulsebot]

Pushed by archaeopteryx@coole-files.de:
https://hg.mozilla.org/integration/autoland/rev/9a469bfcf4f9
Set referrer policy default to strict-origin-when-cross-origin. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/328001ac7573
Fix anti-tracking mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=timhuang
https://hg.mozilla.org/integration/autoland/rev/9a5186247b7a
Fix network mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=kershaw,necko-reviewers
https://hg.mozilla.org/integration/autoland/rev/e1bfeb2c467c
Fix worker mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=baku
https://hg.mozilla.org/integration/autoland/rev/69dfc7e086ec
Fix devtools mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=nchevobbe
https://hg.mozilla.org/integration/autoland/rev/1bdccdb8e90b
Fix dom mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/aa07696c3f85
Fix sessionrestore mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=mconley
https://hg.mozilla.org/integration/autoland/rev/36db07f697fd
Fix geckoview test failures after changing default referrer policy to strict-origin-when-cross-origin. r=geckoview-reviewers,agi
https://hg.mozilla.org/integration/autoland/rev/2e54315e8428
Update wpt tests that are expected success after changing default referrer policy to strict-origin-when-cross-origin. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/5555815ae0a6
Revert referrer related changes made in Bug 1678042 to pass wpt failures. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/2c6b1318917b
Fix docshell mochitest failures after changing default referrer policy to strict-origin-when-cross-origin. r=smaug CLOSED TREE

Comment 40

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/414252d2e46c
https://hg.mozilla.org/mozilla-central/rev/4d7a026e765e
https://hg.mozilla.org/mozilla-central/rev/695ee14cd948
https://hg.mozilla.org/mozilla-central/rev/9831c19f47b9
https://hg.mozilla.org/mozilla-central/rev/c1b832f3ce06
https://hg.mozilla.org/mozilla-central/rev/dd516f0ffc30
https://hg.mozilla.org/mozilla-central/rev/be5da5f62651
https://hg.mozilla.org/mozilla-central/rev/c0d300b33c6b
https://hg.mozilla.org/mozilla-central/rev/87753b6ce36f
https://hg.mozilla.org/mozilla-central/rev/05c83764972e
https://hg.mozilla.org/mozilla-central/rev/cbe882c7bff5
https://hg.mozilla.org/mozilla-central/rev/0b948812b858
https://hg.mozilla.org/mozilla-central/rev/9a469bfcf4f9
https://hg.mozilla.org/mozilla-central/rev/328001ac7573
https://hg.mozilla.org/mozilla-central/rev/9a5186247b7a
https://hg.mozilla.org/mozilla-central/rev/e1bfeb2c467c
https://hg.mozilla.org/mozilla-central/rev/69dfc7e086ec
https://hg.mozilla.org/mozilla-central/rev/1bdccdb8e90b
https://hg.mozilla.org/mozilla-central/rev/aa07696c3f85
https://hg.mozilla.org/mozilla-central/rev/36db07f697fd
https://hg.mozilla.org/mozilla-central/rev/2e54315e8428
https://hg.mozilla.org/mozilla-central/rev/5555815ae0a6
https://hg.mozilla.org/mozilla-central/rev/2c6b1318917b

Comment 41

[Hamish Willee]

FYI the MDN documentation for this in FF87 is (very nearly) complete and can be tracked here. The "live" docs here indicate the new preference. The browser compatibility update with relevant versions should merge in the next couple of days. Please comment in https://github.com/mdn/content/issues/2516 if you think we're missing anything obvious.

Comment 42

[Chris Mills [:cmills]]

Documentation done, so marking as DDC. Thanks for the great work Hamish!

Comment 43

[eyal gruss]

when i updated to ff87 my network.http.referer.XOriginTrimmingPolicy (which was on default setting 0) did not change. is this only for new installations and refreshes? and if so is it acceptable to open an issue asking for setting the new default also on updates (perhaps for cases the user did not change the value)?

Comment 44

[Simon Mainey]

(In reply to eyal gruss (eyaler) from comment #43)

when i updated to ff87 my network.http.referer.XOriginTrimmingPolicy (which was on default setting 0) did not change...

The pref changed here was network.http.referer.defaultPolicy - https://hg.mozilla.org/mozilla-central/rev/4d7a026e765e