Internet.nl icon indicating copy to clipboard operation
Internet.nl copied to clipboard
verified publisher icon internetstandards

Explanation of the heading 'referrer-policy' header obsolete

Open mdavids opened this issue 3 years ago • 1 comments

I don't think the explanation for the 'referrer-policy' header is correct anymore.

It says the default is 'no-referrer-when-downgrade', but that seems to be 'strict-origin-when-cross-origin' these days [1].

I also wondered whether it might be desirable to distinguish between 'origin', 'path' and 'querystring', in terms of sensitivity of information?

There is no doubt that "https://www.example.nl/path?geheimpassword=blah" is sensitive information.

But does that also apply to "https://www.example.nl/", so just the origin?

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

mdavids avatar Jun 09 '22 09:06 mdavids

Thanks. There is an issue for the update of the default policy that seems to cover your first point: #645 As this is only content, I just changed the planned milestone for that issue from 1.6 to 1.5.

The second part of your comments seems something to further check and discuss. Might be best to file that in a separate issue. Ok?

baknu avatar Jun 09 '22 11:06 baknu