Page MenuHomePhabricator

Set referrer-policy in REST API responses
Closed, ResolvedPublic


The [referrer-policy header]( configures how clients share referrer headers with subsequently visited pages. In regular page views, we currently set this to origin-when-cross-origin in a meta tag, which means that other sites only see "" in the referrer, but not the precise page the user visited before.

While top-level navigations to REST API end points are fairly rare, it still wouldn't hurt to protect our client's privacy by setting referrer-policy: origin-when-cross-origin in REST API responses.