Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Origin instead of Referer in the request header #379

Closed
yi-gu opened this issue Nov 23, 2022 · 7 comments · Fixed by #423
Closed

Use Origin instead of Referer in the request header #379

yi-gu opened this issue Nov 23, 2022 · 7 comments · Fixed by #423
Labels
documentation Improvements or additions to documentation

Comments

@yi-gu
Copy link
Collaborator

yi-gu commented Nov 23, 2022

As agreed in issue 230, we should send Origin instead of Referer:

  • UA should use Origin instead of Referer for the requests that need to expose the RP
  • UA should send no Origin (instead of Origin: null) for requests that do not expose the RP
@yi-gu yi-gu added the documentation Improvements or additions to documentation label Nov 23, 2022
@yi-gu
Copy link
Collaborator Author

yi-gu commented Nov 30, 2022

After some discussion internally, we'd like to better understand the rationale of the change. i.e. why origin is a better choice in this case?

The FedCM spec explicitly states that the referrer is set to the "origin" (aka with no path), so the potential risk of "referrer could expose path with certain policy (e.g. no-referrer-when-downgrade)" does not seem to be a real concern.

@bvandersloot-mozilla could you please shed some light here?

@bvandersloot-mozilla
Copy link
Collaborator

I don't recall there being a reason thatReferer header would be better than Origin. Without that reasoning, we should try to use Origin. It is a more modern concept and its semantics agree with the value we have. Also, on a minor note, some middleboxes tamper with the Referer header, and that was part of the reasoning for the introduction of Origin IIRC.

@npm1
Copy link
Collaborator

npm1 commented Dec 2, 2022

@annevk was there any other reason we missed? Unfortunately we forgot the reason mentioned in the discussion.

@yoavweiss
Copy link

So, IIUC, we're talking here about non-CORS requests having the Origin header instead of a Referrer.
Can y'all outline the reasoning for this? Also, are there any precedents for this?

At least in the past, I've seen servers that use the Origin header to distinguish CORS from non-CORS headers (e.g. to decide if they need to send ACAO, maybe for other things). Are we sure that sending Origin headers on non-CORS requests won't cause weird side-effects?

@annevk
Copy link

annevk commented Dec 15, 2022

Chrome pioneered using the Origin header outside of CORS for CSRF @yoavweiss (without much of a specification at the time), so... (This only got standardized properly in the last couple of years in Fetch by someone at Mozilla.)

@bvandersloot-mozilla lists the reason, which is also the reason we have Origin to begin with. Referer got stripped by middleware, so Origin is a more reliable signal.

With Referer you also run into questions around browser preferences and Referrer Policy.

@yoavweiss
Copy link

OK, thanks!

@antosart
Copy link

antosart commented Feb 7, 2023

Ping here. I think it would be important to clarify this in the spec.

@npm1 npm1 mentioned this issue Feb 7, 2023
Merged
@npm1 npm1 closed this as completed in #423 Feb 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use Origin instead of Referer npm1/FedCM
6 participants
@yoavweiss @annevk @antosart @yi-gu @npm1 @bvandersloot-mozilla