Page MenuHomePhabricator

Review referer configuration of origin/origin-when-crossorigin/origin-when-cross-origin
Closed, DeclinedPublic

Description

Status quo
<meta name="referrer" content="origin"/>
<meta name="referrer" content="origin-when-crossorigin"/>
<meta name="referrer" content="origin-when-cross-origin"/>

Setting all three in the HTML head seems messy.

Motivation:

  • This is sometimes reported by users as being no longer needed.
  • causes Safari to emit an error in the developer console on every page load. This, while harmless, is sometimes a source of confusion for developers.
  • Reduce size of <head> pay load, per T231168.
Safari (console error)
Failed to set referrer policy: The value 'origin-when-crossorigin' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'same-origin', 'origin', 'strict-origin', 'origin-when-cross-origin', 'strict-origin-when-cross-origin' or 'unsafe-url'.

In recent news, Safari has announced that:

webkit.org wrote at Third-Party Blocking (24 Mar 2020):

All cross-site document.referrers are downgraded to their origin.

This sounds like origin-when-cross-origin is effectively the default in Safari 13.

To answer for this task:

  • Which browser(s) are each of the three values for?
  • Can we reduce it to two or one? If not, when?

Prior art to keep in mind:

Event Timeline

Krinkle created this task.Mar 25 2020, 10:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 25 2020, 10:48 PM
Krinkle updated the task description. (Show Details)Mar 25 2020, 10:49 PM
fdans moved this task from Incoming to Radar on the Analytics board.Mar 30 2020, 4:17 PM
Gilles moved this task from Inbox to Radar on the Performance-Team board.Mar 30 2020, 7:48 PM
Gilles edited projects, added Performance-Team (Radar); removed Performance-Team.

The two questions in this task are questions that I'd like Analytics or Reading (whoever knows!) to help answer. Based on the related tasks, CC-ing @mforns, @Nuria, @phuedx. Freel free to forward as needed :)

Krinkle triaged this task as Medium priority.Mar 31 2020, 5:31 PM
Krinkle edited projects, added Performance-Team; removed Performance-Team (Radar).
Krinkle moved this task from Inbox to Blocked or Needs-CR on the Performance-Team board.
TheDJ added a subscriber: TheDJ.EditedMay 19 2020, 10:33 AM

@Krinkle for the origin-when-crossorigin fallback.. The spec compliant origin-when-cross-origin has been supported since March 2018, starting with Safari 11.1. So in order to remove that, the question to answer would be: How much traffic we still get for Safari versions older than 11.1 and does Analytics care about being able to accurately track 'internal referrers' for that number of browser sessions.

Nuria added a comment.May 19 2020, 3:22 PM

Sorry, I totally missed this ping. We get about around 1 million pageviews of safari (browser major <11) per day, while in the big scheme of things (warning, napkin math) that is about 2% of pageviews the percentage is not insignificant so, on my opinion the workaround should remain until the lower versions phase out.

Krinkle added a comment.EditedMay 19 2020, 9:51 PM

@TheDJ Does that mean we need one for new and one of old Safari? If so, which is the old Safari one, and what's the third one for?

TheDJ added a comment.EditedMay 20 2020, 11:48 AM

origin-when-crossorigin: Safari pre 11.1 (spec implementation error, 2017-2018)
origin-when-cross-origin: Safari post 11.1 and all other modern browsers
Origin: browsers from between 2015 and 2017

And yes, if you want the tracking data, you need all three as far as i can tell)

Krinkle closed this task as Declined.May 20 2020, 3:35 PM

Thanks.

Aklapper edited projects, added Analytics-Radar; removed Analytics.Jun 10 2020, 6:44 AM
TheDJ added a comment.EditedJul 31 2020, 1:37 PM

Just an FYI: Google just announced they are moving their default (when you have NOT specified a specific referrer policy) to strict-origin-when-cross-origin.
https://developers.google.com/web/updates/2020/07/referrer-policy-new-chrome-default

(strict means, don't send any referrer at all when moving from https -> http )

We could consider upgrading our policy to be strict as well. The browser support should be equal, and unlike when we introduced this, the majority of partner links etc is likely to be https now, so shouldn't have too much impact on them I think.

Izno added a subscriber: Izno.Aug 13 2020, 1:36 AM