Referrer handling - default policy and capping

[krgovind]

Saluton TAG!

I'm requesting a TAG review of current and proposed handling of referrers across various browsers, as being discussed on privacycg/proposals#13.

As summarized by @englehardt on the PrivacyCG thread, referrers leak users' browsing activity cross-site. Browsers have either already shipped, or are experimenting with a combination of:

• Applying a default policy of strict-origin-when-cross-origin - spec update in Make strict-origin-when-cross-origin the default referrer policy w3c/webappsec-referrer-policy#142
• Capping the referrer to either strict-origin-when-cross-origin or eTLD+1 (Firefox and Safari selectively apply capping to classified/tracker domains).

Does the TAG have an opinion on the present disparity among browsers, and appropriate long term handling of referrers?

As @englehardt asks:

At the very least it seems like we can align on defaulting to strict-origin-when-cross-origin (see also: w3c/webappsec-referrer-policy#125). But even this default can still be overwritten by motivated adversaries. This leads to the question of why only change the default, and not permanently trim cross-site referrers with no way to override?

CC: @domfarolino @johnwilander @erik-anderson @pes10k

[pes10k]

Thank you @krgovind for sharing this. Just to re-surface what I mentioned in the original discussion. Brave currently does what @englehardt is suggesting, specifically

why only change the default, and not permanently trim cross-site referrers with no way to override?

Brave does the above and have found it a useful privacy improvement and have not encountered web-compat issues

[krgovind]

@hadleybeeman Pinging to check if this review happened last week.

If it helps expedite the review, the Chrome team would like to start by requesting a review of the first part. We are preparing to ship this change in Chrome, and would like to hear the TAG's opinion:

• Applying a default policy of strict-origin-when-cross-origin - spec update in w3c/webappsec-referrer-policy#142

[domfarolino]

Ping TAG. Chrome is planning on shipping this, especially because we have full cross-browser consensus on changing the default referrer policy. There is still discussion on whether or not we should let sites apply a looser policy, but as the editor of the Referrer Policy spec, I don't think that should block this.

[torgo]

Hi @domfarolino - thanks for heads up - we haven't had t a chance to really put this on the table for TAG discussion yet unfortunately. I'm going to put it on our agenda for w/o 14th Sept - I hope we can still provide useful feedback at that point.

[torgo]

We've discussed today in the TAG breakout - That sounds good to us ("align[ing] on defaulting to strict-origin-when-cross-origin"). We think more restrictions ("permanently trim cross-site referrers") – aligned across browsers – would be good as well. It looks like more work needs to be done to explore where this would potentially break existing content - especially in the long tail.

[torgo]

This slipped off our radar to actually close the issue although we had agreed to close it so we are closing it now. ✨