Closed Nizzlay closed 6 years ago
mtn
commented
6 years ago Okay, so I'm not super familiar with this so you're going to have to help me understand your motivation. This definitely doesn't seem like a trivial change though:
Note: The policy’s name doesn’t lie; it is unsafe. This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of setting such a policy for potentially sensitive documents.
That's from here.
Nizzlay
commented
6 years ago Basically setting "no-referrer" will mess up analytical data. Both for yourself, and any site you link to. It will show all visits as "direct", since it doesn't know from where the visitor came.
By default when removing this line it will fallback to "no-referrer-when-downgrade". Which means all works as long as links are also in the HTTPS protocol.
From what I understand setting it to "unsafe-url" would mean that this data gets passed, even if you link to a site which only has HTTP (even though your own site is HTTPS).
Not sure if it would have other security consequences.
When unsure you could just remove the line, and let the defaults handle it. Which should be fine in most cases.
You can see examples here of what the results would be: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
mtn
commented
6 years ago Hm, I think I see what the unsafe thing is warning about -- if you met man-in-the-middled, the attacker could see a bunch of information about the referrer we don't want to leak. How about we just remove the line and let the default handle it?
Nizzlay
commented
6 years ago Default should be fine.
mtn
commented
6 years ago Great, thanks!
Allows browsers to pass referrer data to sites.