[Security] Change Referrer-Policy default to strict-origin-when-cross-origin#512
Open
anthonyroussel wants to merge 1 commit intodigitalocean:masterfrom
Open
[Security] Change Referrer-Policy default to strict-origin-when-cross-origin#512anthonyroussel wants to merge 1 commit intodigitalocean:masterfrom
anthonyroussel wants to merge 1 commit intodigitalocean:masterfrom
Conversation
`no-referrer-when-downgrade` leaks full URLs (path + query string) to cross-origin third parties. `strict-origin-when-cross-origin` only sends the origin on cross-origin requests, which is the modern secure default.
anthonyroussel
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Type of Change
What issue does this relate to?
No GitHub issue related, PR opened directly.
What should this PR do?
Referrer-Policyheader value:no-referrer-when-downgradesends the full URL (including path and query string) as theRefererheader to any HTTPS destination, potentially leaking sensitive data (tokens, IDs, search terms) to third-party servers (external pages referenced, iframe, external images, third-party scripts, fonts, and external XHR HTTP requests to third party API for example)strict-origin-when-cross-origin, which only sends the origin on cross-origin requests (default value on browsers)What are the acceptance criteria?
strict-origin-when-cross-originas the defaultReferrer-Policyvalue when no custom value is selectedno-referrer-when-downgraderemains available as an option in the dropdownno-referrer-when-downgradeis no longer the pre-selected default in the UISources