Is the origin sent in the referer header when the current document establishes a "strict-origin" policy and the protocol level improves?
I would like to know if the origin of the current document is sent in the referer header when it establishes a "strict-origin" policy and the protocol level improves.
For examples:
The current document is http://example.com/index.html, it sets a referer policy of "strict-origin", then some requests are made to https://anotherexample.com/script.js.
I would like to know what will be the value of the referer in this particular case (note that the protocol level improves).
Regarding the documentation (https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Referrer-Policy#strict-origin_2), it is not clear:
Thanks for your help,
Bests
Looking at the spec, it seems referrer is always sent when referrerURL is non-trustworthy. So I believe the request would contain the referrer info.
The algo states:
Execute the statements corresponding to the value of policy:
Note: If request’s referrer policy is the empty string, Fetch will not call into this algorithm.
If referrerURL is a potentially trustworthy URL and request’s current URL is not a potentially trustworthy URL, then return
no referrer.Return referrerOrigin.
strict-origin-when-cross-origin means treating as strict origin when the requests are cross origin. And since this is cross origin (HTTP to HTTPS), behaviour should be same as strict origin. This means ASCII serialization of referrer should be sent.
- Is the name of a cookie case sensitive?
- YAML media type?
- Clojure Cross Origin Error - Totally Lost
- Is the origin sent in the referer header when the current document establishes a "strict-origin" policy and the protocol level improves?
- Preserving line breaks and tabs when sending data using JSON via HTTP PUT
- What is "406-Not Acceptable Response" in HTTP?
- HTTP: POST request receives a 302, should the redirect-request be a GET?
- The GET method hits the backend twice in a row on ngOnInit Angular
- HTTP status code when single request asks for too large resource or too many of them
- Content-Length header with HEAD requests?
- python set-up boundary for POST using multipart/form-data with requests
- Idempotent HTTP PUT and DELETE: Should the server check for existing data, and how to handle responses?
- Why isn't Yelp returning all of the results?
- How to sent Http POST request with application/x-www-form-urlencoded
- Kill already in use binding tcp connection
- Correct way to delete cookies server-side
- Does an HTTP proxy need to use the headers?
- Is there a way to make git over http timeout?
- Etag: weak vs strong example
- What's the difference between HTTP 301 and 308 status codes?
- why am i getting http error code 500 when i am sending a rest request
- Making HTTP GET request with Swift 5
- How to send a “multipart/form-data” POST in Android with Volley
- REST API error code 500 handling
- Expect: 100-continue
- What HTTP status code do you use when endpoint is disabled by feature-flag / feature-toggle?
- Can I stream a file upload to S3 without a content-length header?
- What HTTP request type to use when no resource is being retrieved or modified?
- Set boundary on URLSession.uploadTask :with :fromFile
- Mocking an Http connection in python