search

securityheaders / securityheaders-bugs

Bug tracker for https://securityheaders.io
20 stars 0 forks source link

Multiple Referrer-Policy values not parsed correctly #65

Closed bitnesswise closed 5 years ago

bitnesswise commented 5 years ago

When multiple referrer-policy values are specified in the header, the value of the first is considered, instead of the last. Example:

Referrer-Policy: origin-when-cross-origin,strict-origin-when-cross-origin

Result:

Warning
Referrer-Policy: The "origin-when-cross-origin" value is not recommended.

But origin-when-cross-origin is the fallback; when there is support for strict-origin-when-cross-origin, that is the value that should come out on top. I think the website should reflect that, because this actually gives better security than not specifying a fallback.

ScottHelme commented 5 years ago

This will be fixed in the deploy today.