Skip to content
This repository has been archived by the owner on May 10, 2024. It is now read-only.

Strip the referrer entirely on cross-origin navigation requests and iframe sub-resources #2494

Closed
jumde opened this issue Apr 29, 2020 · 3 comments
Closed

Strip the referrer entirely on cross-origin navigation requests and iframe sub-resources #2494

jumde opened this issue Apr 29, 2020 · 3 comments
Labels
closed/works-for-me privacy

Comments

@jumde
Copy link
Contributor

jumde commented Apr 29, 2020
edited
Loading

From: brave/brave-browser#3422
@jumde jumde added the privacy label Apr 29, 2020
@fmarier
Copy link
Member

fmarier commented May 27, 2020

Our behavior on Desktop is a bit more complicated than what can fit in the issue title, and it is also in the middle of changing.

However, currently on iOS, we don't spoof or strip the referrer in any way as can be seen on https://fmarier.github.io/brave-testing/referrer-spoofing.html.

@fmarier
Copy link
Member

fmarier commented Mar 3, 2021

Given that we've aligned with Safari (capping the referrer to strict-origin-when-cross-origin), I think we can close this.

Would be good to give it a quick test first using the test pages we use in brave-core:

@fmarier fmarier mentioned this issue Mar 3, 2021
Closed
@jumde
Copy link
Contributor Author

jumde commented Mar 3, 2021

Verified on 1.23.1 - all tests look good.

@jumde jumde closed this as completed Mar 3, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
closed/works-for-me privacy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fmarier @jumde