Referrer-Policy: expand applicable media-types + stricter default
#204
Conversation
To emphasize, if we don't change the example policy, then people who enable it as-is will downgrade and send more referrer information than the new default value. |
You know my sensitivity regarding coverage. 😉 |
|
Coverage is important, indeed! To clarify, the
While it is stronger than |
|
Do we have any info that this is indeed useful for non-HTML resources? Sorry, I don't have the time to follow this repo closely nowadays. |
|
I think the most explicit information I have found for this is in the Referrer-Policy spec under the section "integration with CSS" (linked to in #204 (comment)):
I interpret that as advice for developers to set the header for stylesheets. |
|
And partially confirmed in https://www.chromestatus.com/feature/5696724538490880. |
* Bump server-config-test to 1.2.1 * Additional compression method added for gzip (h5bp#236) * Fixed description for SSL session cache & timeout (h5bp#237) * Add `font/ttf` & `font/eot` to compressible mime-types list (h5bp#242) Ref: * jshttp/mime-db#169 * developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/webfont-optimization#reducing_font_size_with_compression * Improve HSTS documentation Ref: h5bp/server-configs-apache#196 * Stricter default for Referrer Policy Ref: h5bp/server-configs-apache#204 * Add funding file * Rename no-transform.conf file to content_transformation.conf Align with other files and with Apache struct Co-authored-by: Léo Colombaro <git@colombaro.fr> Co-authored-by: Jogendra Kumar <39511714+jkumar-roambee@users.noreply.github.com> Co-authored-by: Rahil <54960886+plethorahil@users.noreply.github.com> Co-authored-by: minusf <minusf@gmail.com>
This PR does 2 things:
Expanding media-types for which
Referrer-Policyshould be sent, part of the effort to close out Ensure HTTP headers are applied to the correct Content-Type #187.I've reused the same media-type matching as done in CSP, which I think is appropriate for Referrer-Policy as well. I can't say if there are more media-types to cover for sure as this isn't properly documented anywhere on the web AFAICT. Nevertheless, this should be an improvement regarding user's privacy in comparison to the current matching of
text/htmlonly. Some resources confirming the applicable media-types:https://w3c.github.io/webappsec-referrer-policy/#integration-with-html
https://w3c.github.io/webappsec-referrer-policy/#integration-with-css
https://w3c.github.io/webappsec-referrer-policy/#integration-with-fetch
Referrer policy of referencing in SVG? w3c/webappsec-referrer-policy#108
Add a stricter default value, replacing
no-referrer-when-downgradewithstrict-origin-when-cross-originfor 2 reasons:strict-origin-when-cross-originbe the new default - scheduled for release in Chrome 80.I simplified the Referrer-Policy description as well, current text is more or less copy&paste from spec and is not super developer-friendly.