Page MenuHomePhabricator
Create Task
Maniphest T248526

Review referer configuration of origin/origin-when-crossorigin/origin-when-cross-origin
Closed, DeclinedPublic
Actions

Description

Status quo
<meta name="referrer" content="origin"/>
<meta name="referrer" content="origin-when-crossorigin"/>
<meta name="referrer" content="origin-when-cross-origin"/>

Setting all three in the HTML head seems messy.

Motivation:

  • This is sometimes reported by users as being no longer needed.
  • causes Safari to emit an error in the developer console on every page load. This, while harmless, is sometimes a source of confusion for developers.
  • Reduce size of <head> pay load, per T231168.
Safari (console error)
Failed to set referrer policy: The value 'origin-when-crossorigin' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'same-origin', 'origin', 'strict-origin', 'origin-when-cross-origin', 'strict-origin-when-cross-origin' or 'unsafe-url'.

In recent news, Safari has announced that:

webkit.org wrote at Third-Party Blocking (24 Mar 2020):

All cross-site document.referrers are downgraded to their origin.

This sounds like origin-when-cross-origin is effectively the default in Safari 13.

To answer for this task:

  • Which browser(s) are each of the three values for?
  • Can we reduce it to two or one? If not, when?

Prior art to keep in mind:

Related Objects

Event Timeline

Krinkle created this task.Mar 25 2020, 10:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 25 2020, 10:48 PM
Krinkle updated the task description. (Show Details)Mar 25 2020, 10:49 PM
fdans moved this task from Incoming to Radar on the Analytics board.Mar 30 2020, 4:17 PM
Gilles moved this task from Inbox, needs triage to Radar on the Performance-Team board.Mar 30 2020, 7:48 PM
Gilles edited projects, added Performance-Team (Radar); removed Performance-Team.
Krinkle added subscribers: Nuria, phuedx, mforns.Mar 31 2020, 5:31 PM

The two questions in this task are questions that I'd like Analytics or Reading (whoever knows!) to help answer. Based on the related tasks, CC-ing @mforns, @Nuria, @phuedx. Freel free to forward as needed :)

Krinkle triaged this task as Medium priority.Mar 31 2020, 5:31 PM
Krinkle edited projects, added Performance-Team; removed Performance-Team (Radar).
Krinkle moved this task from Inbox, needs triage to Blocked (old) on the Performance-Team board.
Jdlrobson edited projects, added Web-Team-Backlog (Tracking); removed Web-Team-Backlog.Apr 15 2020, 8:59 PM
TheDJ subscribed.EditedMay 19 2020, 10:33 AM

@Krinkle for the origin-when-crossorigin fallback.. The spec compliant origin-when-cross-origin has been supported since March 2018, starting with Safari 11.1. So in order to remove that, the question to answer would be: How much traffic we still get for Safari versions older than 11.1 and does Analytics care about being able to accurately track 'internal referrers' for that number of browser sessions.

Nuria added a comment.May 19 2020, 3:22 PM

Sorry, I totally missed this ping. We get about around 1 million pageviews of safari (browser major <11) per day, while in the big scheme of things (warning, napkin math) that is about 2% of pageviews the percentage is not insignificant so, on my opinion the workaround should remain until the lower versions phase out.

Krinkle added a comment.EditedMay 19 2020, 9:51 PM

@TheDJ Does that mean we need one for new and one of old Safari? If so, which is the old Safari one, and what's the third one for?

TheDJ added a comment.EditedMay 20 2020, 11:48 AM

origin-when-crossorigin: Safari pre 11.1 (spec implementation error, 2017-2018)
origin-when-cross-origin: Safari post 11.1 and all other modern browsers
Origin: browsers from between 2015 and 2017

And yes, if you want the tracking data, you need all three as far as i can tell)

Krinkle closed this task as Declined.May 20 2020, 3:35 PM

Thanks.

Aklapper edited projects, added Analytics-Radar; removed Analytics.Jun 10 2020, 6:44 AM
TheDJ added a comment.EditedJul 31 2020, 1:37 PM

Just an FYI: Google just announced they are moving their default (when you have NOT specified a specific referrer policy) to strict-origin-when-cross-origin.
https://developers.google.com/web/updates/2020/07/referrer-policy-new-chrome-default

(strict means, don't send any referrer at all when moving from https -> http )

We could consider upgrading our policy to be strict as well. The browser support should be equal, and unlike when we introduced this, the majority of partner links etc is likely to be https now, so shouldn't have too much impact on them I think.

Izno subscribed.Aug 13 2020, 1:36 AM
AntiCompositeNumber mentioned this in T293109: Firefox: Referrer Policy: Less restricted policies, including ‘no-referrer-when-downgrade’, ‘origin-when-cross-origin’ and ‘unsafe-url’, will be ignored soon for the cross-site request.Oct 12 2021, 4:06 PM
TheDJ mentioned this in T338183: Remove old origin-when-crossorigin Safari misspelling of referrer policy.Jun 5 2023, 9:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL