Help
Change theme
Press space for more information.
Refresh (Shortcut: Shift+r)
Go home (Shortcut: u)
Copy issue ID
Show links for this issue (Shortcut: i, l)
Previous Issue (Shortcut: k)
Next Issue (Shortcut: j)
Sign in to use full features.
Notification menu
Vote: I am impacted
View issue level access limits(Press Alt + Right arrow for more information)
Pending code changes (auto-populated)
View staffing
Description
from fetch spec, if you hiding referrer values with strong referer-policy, it also hides `origin` headers.
ex) when you set `no-referer` it also sets `origin: null` for request with origin header.
`Origin` header is important header fields for avoid CSRF attack, since you can check the request really come from expected origin to see origin header. But if it sets null, you can't. It means less secure.
This best practices mentioning hiding referrer for avoiding information leaks. But there're no reason hiding referrer from same origin servers. This article seems like `stricter is better` mood, but from point of `origin` header, it's not always true.
I hope this practice also mentioning side effect for `origin` header not only referrer header itself.