Closed marcoscaceres closed 6 years ago
@rsolomakhin @marcoscaceres as far as I can tell strict-origin-when-cross-origin is pretty reasonable change that helps address this. Any reason not to just change the spec?
I'm OK with this.
Sounds great. Thanks @domenic.
So going to work on this, I realized that there are actually three requests involved, and right now they all happen to use the page's URL as the referrer:
I think we're mostly concerned about protecting the first of these, right? So that should get strict-origin-when-cross-origin referrer policy.
For the other two, I think instead of changing the referrer policy, we should actually change the referrer, to reflect the resource that initiated the request. So the PMM request's referrer should be the identifier URL, and the web app manifest's referrer should be the PMM's URL. How does that sound?
That sounds logical, @domenic 👍
We want to restrict the referrer policy to no leak information about a product or service that a user is paying for. At the same time, we want to the payment app hosting the manifest to protect itself from DOS attacks or bad actors.
As such, we need some restrictive origin policy, like "strict-origin-when-cross-origin" or similar...