1. Cybersecurity >
  2. Programmierung >
  3. A new default Referrer-Policy for Chrome: strict-origin-when-cross-origin

ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

A new default Referrer-Policy for Chrome: strict-origin-when-cross-origin


Programmierung vom | Direktlink: developers.google.com Nachrichten Bewertung

A new default Referrer-Policy for Chrome: strict-origin-when-cross-origin

Before we start:

  • If you're unsure of the difference between "site" and "origin", check out Understanding "same-site" and "same-origin".
  • The Referer header is missing an R, due to an original misspelling in the spec. The Referrer-Policy header and referrer in JavaScript and the DOM are spelled correctly.

Summary

  • Browsers are evolving towards privacy-enhancing default referrer policies, to provide a good fallback when a website has no policy set.
  • Chrome plans to gradually enable strict-origin-when-cross-origin as the default policy in 85; this may impact use cases relying on the referrer value from another origin.
  • This is the new default, but websites can still pick a policy of their choice.
  • To try out the change in Chrome, enable the flag at chrome://flags/#reduced-referrer-granularity. You can also check out this demo to see the change in action.
  • Beyond the referrer policy, the way browsers deal with referrers might change—so keep an eye on it.

What's changing and why?

HTTP requests may include the optional Referer header, which indicates the origin or web page URL the request was made from. The Referer-Policy header defines what data is made available in the Referer header, and for navigation and iframes in the destination's document.referrer.

Exactly what information is sent in the Referer header in a request from your site is determined by the Referrer-Policy header you set.

Diagram: Referer sent in
      a request.
Referrer-Policy and Referer.

When no policy is set, the browser's default is used. Websites often defer to the browser’s default.

For navigations and iframes, the data present in the Referer header can also be accessed via JavaScript using document.referrer.

Up until recently, no-referrer-when-downgrade has been a widespread default policy across browsers. But now many browsers are in some stage of moving to more privacy-enhancing defaults.

Starting in Chrome 85, Chrome is switching its default policy from no-referrer-when-downgrade to strict-origin-when-cross-origin.

This means that if no policy is set for your website, Chrome will use strict-origin-when-cross-origin by default. Note that you can still set a policy of your choice; this change will only have an effect on websites that have no policy set.

Note: this step to help reduce silent cross-site user tracking is part of a larger initiative: the Privacy Sandbox. Check Digging into the Privacy Sandbox for more details.

What does this change mean?

strict-origin-when-cross-origin offers more privacy. With this policy, only the origin is sent in the Referer header of cross-origin requests.

This prevents leaks of private data that may be accessible from other parts of the full URL such as the path and query string.

Diagram: Referer sent
      depending on the policy, for a cross-origin request.
Referer sent (and document.referrer) for a cross-origin request, depending on the policy.

For example:

Cross-origin request, sent from https://site-one.example/**stuff/detail?tag=red** to https://site-two.example/…:

What stays the same?

  • Like no-referrer-when-downgrade, strict-origin-when-cross-origin is secure: no referrer (Referer header and document.referrer) is present when the request is made from an HTTPS origin (secure) to an HTTP one (insecure). This way, if your website uses HTTPS (if not, make it a priority), your website's URLs won't leak in non-HTTPS requests—because anyone on the network can see these, so this would expose your users to man-in-the-middle-attacks.
  • Within the same origin, the Referer header value is the full URL.

For example: Same-origin request, sent from https://site-one.example/**stuff/detail?tag=red** to https://site-one.example/…:

What's the impact?

Based on discussions with other browsers and Chrome's own experimentation run in Chrome 84, user-visible breakage is expected to be limited.

Server-side logging or analytics that rely on the full referrer URL being available are likely to be impacted by reduced granularity in that information.

What do you need to do?

Chrome plans to start rolling out the new default referrer policy in 85 (July 2020 for beta, August 2020 for stable). See status in the Chrome status entry.

Understand and detect the change

To understand what the new default changes in practice, you can check out this demo.

You can also use this demo to detect what policy is applied in the Chrome instance you are running.

Test the change, and figure out if this will impact your site

You can already try out the change starting from Chrome 81: visit chrome://flags/#reduced-referrer-granularity in Chrome and enable the flag. When this flag is enabled, all websites without a policy will use the new strict-origin-when-cross-origin default.

Chrome screenshot: how
      to enable the flag chrome://flags/#reduced-referrer-granularity.
Enabling the flag.

You can now check how your website and backend behave.

Another thing to do to detect impact is to check if your website's codebase uses the referrer—either via the Referer header of incoming requests on the server, or from document.referrer in JavaScript.

Certain features on your site might break or behave differently if you're using the referrer of requests from another origin to your site (more specifically the path and/or query string) AND this origin uses the browser's default referrer policy (i.e. it has no policy set).

If this impacts your site, consider alternatives

If you're using the referrer to access the full path or query string for requests to your site, you have a few options:

  • Use alternative techniques and headers such as Origin and Sec-fetch-Site for your CSRF protection, logging, and other use cases. Check out Referer and Referrer-Policy: best practices.
  • You can align with partners on a specific policy if this is needed and transparent to your users. Access control—when the referrer is used by websites to grant specific access to their resources to other origins—might be such a case although with Chrome's change, the origin will still be shared in the Referer Header (and in document.referrer).

Note that most browsers are moving in a similar direction when it comes to the referrer (see browser defaults and their evolutions in Referer and Referrer-Policy: best practices.

Implement an explicit, privacy-enhancing policy across your site

What Referer should be sent in requests originated by your website, i.e. what policy should you set for your site?

Even with Chrome's change in mind, it's a good idea to set an explicit, privacy-enhancing policy like strict-origin-when-cross-origin or stricter right now.

This protects your users and makes your website behave more predictably across browsers. Mostly, it gives you control —rather than having your site depend on browser defaults.

Check Referer and Referrer-Policy: best practices for details on setting a policy.

About Chrome enterprise

The Chrome enterprise policy ForceLegacyDefaultReferrerPolicy is available to IT administrators who would like to force the previous default referrer policy of no-referrer-when-downgrade in enterprise environments. This allows enterprises additional time to test and update their applications.

This policy will be removed in Chrome 88.

Send feedback

Do you have feedback to share or something to report? Share feedback on Chrome's intent to ship, or tweet your questions at @maudnals.

With many thanks for contributions and feedback to all reviewers - especially Kaustubha Govind, David Van Cleve, Mike West, Sam Dutton, Rowan Merewood, Jxck and Kayce Basques.

Resources

...
https://developers.google.com/web/updates/2020/07/referrer-policy-new-chrome-default?utm_source=feed&utm_medium=feed&utm_campaign=updates_feed

Externe Quelle mit kompletten Inhalt anzeigen


Zur Startseite von Team IT Security

➤ Weitere Beiträge von Team Security | IT Sicherheit

A new default Referrer-Policy for Chrome: strict-origin-when-cross-origin

vom 1590 Punkte ic_school_black_18dp
A new default Referrer-Policy for Chrome: strict-origin-when-cross-origin Before we start: If you're unsure of the difference between "site" and "origin", check out Understanding "same-site" and "same-origin". The Referer header is missing an R, due to

Bunkerized-Nginx - Nginx Docker Image Secure By Default

vom 728.11 Punkte ic_school_black_18dp
nginx Docker image secure by default. Avoid the hassle of following security best practices each time you need a web server or reverse proxy. Bunkerized-nginx provides generic security configs, settings and tools so you don't need to do it yourself. Non

Chrome 85: Upload Streaming, Human Interface Devices, Custom Properties with Inheritance and More

vom 420.66 Punkte ic_school_black_18dp
Unless otherwise noted, changes described below apply to the newest Chrome beta channel release for Android, Chrome OS, Linux, macOS, and Windows. Learn more about the features listed here through the provided links or from the list on ChromeStatus.com. Chrome 85 is beta as of July 23, 2020. Fetch Upload Streaming Fetch u

Azure Marketplace new offers – Volume 38

vom 372.73 Punkte ic_school_black_18dp
We continue to expand the Azure Marketplace ecosystem. For this volume, 121 new offers successfully met the onboarding criteria and went live. See details of the new offers below: Applications AGIR Segurança Cibernética - Certificação PCI DSS: Obtai

Azure Marketplace new offers – Volume 39

vom 348.49 Punkte ic_school_black_18dp
We continue to expand the Azure Marketplace ecosystem. For this volume, 136 new offers successfully met the onboarding criteria and went live. See details of the new offers below: Applications ACR Lift & Shift: Stratum ACR Lift and Shift is an enter

EA Origin Insecurity (when local bugs go remote... again) [15 Mar 2013]

vom 347.01 Punkte ic_school_black_18dp
Original PDF https://revuln.com/files/ReVuln_EA_Origin_Insecurity.pdf   EA ORIGIN INSECURITY (WHEN LOCAL BUGS GO REMOTE.. AGAIN) Luigi Auriemma and Donato Ferrante ReVuln http://revuln.com [email protected] http://twitter.com/revuln 28 February 2013 Abstract In t

Azure Marketplace new offers – Volume 37

vom 341.27 Punkte ic_school_black_18dp
We continue to expand the Azure Marketplace ecosystem. For this volume, 163 new offers successfully met the onboarding criteria and went live. See details of the new offers below: Applications Accela Civic Platform and Civic Applications: Accela's fast-

Jok3R - Network And Web Pentest Framework

vom 339.06 Punkte ic_school_black_18dp
Jok3r is a Python3 CLI application which is aimed at helping penetration testers for network infrastructure and web black-box security tests.Its main goal is to save time on everything that can be automated during network/web pentest in order to enjoy more

Azure Marketplace new offers – Volume 26

vom 324.49 Punkte ic_school_black_18dp
We continue to expand the Azure Marketplace ecosystem. During September and October, 149 new consulting offers successfully met the onboarding criteria and went live. See details of the new offers below: Consulting Services   1-Day Big D

Azure Marketplace new offers – Volume 26

vom 324.49 Punkte ic_school_black_18dp
We continue to expand the Azure Marketplace ecosystem. During September and October, 149 new consulting offers successfully met the onboarding criteria and went live. See details of the new offers below: Consulting Services   1-Day Big D

Azure Marketplace new offers–Volume 40

vom 315.64 Punkte ic_school_black_18dp
We continue to expand the Azure Marketplace ecosystem. For this volume, 212 new offers successfully met the onboarding criteria and went live. See details of the new offers below: Applications 2Care: 2CARE is a healthcare solution that easily captures t

Azure Marketplace new offers – Volume 28

vom 301.65 Punkte ic_school_black_18dp
We continue to expand the Azure Marketplace ecosystem. From November 17 to November 30, 2018, 80 new offers successfully met the onboarding criteria and went live. See details of the new offers below: Virtual machines CloudflareA

Team Security Diskussion über A new default Referrer-Policy for Chrome: strict-origin-when-cross-origin