Page MenuHomePhabricator

Set referrer-policy in REST API responses
Closed, ResolvedPublic

Description

The [referrer-policy header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) configures how clients share referrer headers with subsequently visited pages. In regular page views, we currently set this to origin-when-cross-origin in a meta tag, which means that other sites only see "en.wikipedia.org" in the referrer, but not the precise page the user visited before.

While top-level navigations to REST API end points are fairly rare, it still wouldn't hurt to protect our client's privacy by setting referrer-policy: origin-when-cross-origin in REST API responses.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 17 2017, 2:52 PM
GWicke closed this task as Resolved.Aug 17 2017, 5:35 PM
GWicke claimed this task.

The PR has been merged, and will go out with the next RESTBase deploy.