Change Details

Edge and Safari support an [[https://wiki.whatwg.org/wiki/Meta_referrer|older version]] of the Referrer Policy spec, which only recognizes `never`, `always`, `origin` and `default`. In T87276 we have set `origin-when-cross-origin`; that causes Edge and Safari to use the default policy (full URL when target is HTTPS; empty string when target is HTTP) which is both too restrictive and not restrictive enough. We should use the [[https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values|fallback mechanism]] defined in the spec and define something more appropriate for those browsers. That would mean: * allow [[https://www.mediawiki.org/wiki/Manual:$wgReferrerPolicy|`$wgReferrerPolicy`]] to be an array, and output multiple `<meta>` tags in that case; * set our referrer policy to something like `[ 'origin-when-cross-origin', 'origin' ]` (that would prevent Edge/Safari from sending the full URL for same-domain requests but otherwise be the same; it's possible they are not sending it already, per T148780#2891117), or maybe `[ 'origin-when-cross-origin', 'origin-when-crossorigin', 'origin' ]` (if there is still some browser out there which supports the somewhat-less-old version of the spec which did have "Origin When Cross-Origin" but had a typo in the keyword).

Edge and Safari support an [[https://wiki.whatwg.org/wiki/Meta_referrer|older version]] of the Referrer Policy spec, which only recognizes `never`, `always`, `origin` and `default` ([[https://caniuse.com/#feat=referrer-policy|caniuse]]). In T87276 we have set `origin-when-cross-origin`; that causes Edge and Safari to use the default policy (full URL when target is HTTPS; empty string when target is HTTP) which is both too restrictive and not restrictive enough. We should use the [[https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values|fallback mechanism]] defined in the spec and define something more appropriate for those browsers. That would mean: * allow [[https://www.mediawiki.org/wiki/Manual:$wgReferrerPolicy|`$wgReferrerPolicy`]] to be an array, and output multiple `<meta>` tags in that case; * set our referrer policy to something like `[ 'origin-when-cross-origin', 'origin' ]` (that would prevent Edge/Safari from sending the full URL for same-domain requests but otherwise be the same; it's possible they are not sending it already, per T148780#2891117), or maybe `[ 'origin-when-cross-origin', 'origin-when-crossorigin', 'origin' ]` (if there is still some browser out there which supports the somewhat-less-old version of the spec which did have "Origin When Cross-Origin" but had a typo in the keyword).

Edge and Safari support an [[https://wiki.whatwg.org/wiki/Meta_referrer|older version]] of the Referrer Policy spec, which only recognizes `never`, `always`, `origin` and `default` ([[https://caniuse.com/#feat=referrer-policy|caniuse]]). In T87276 we have set `origin-when-cross-origin`; that causes Edge and Safari to use the default policy (full URL when target is HTTPS; empty string when target is HTTP) which is both too restrictive and not restrictive enough. We should use the [[https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values|fallback mechanism]] defined in the spec and define something more appropriate for those browsers. That would mean: * allow [[https://www.mediawiki.org/wiki/Manual:$wgReferrerPolicy|`$wgReferrerPolicy`]] to be an array, and output multiple `<meta>` tags in that case; * set our referrer policy to something like `[ 'origin-when-cross-origin', 'origin' ]` (that would prevent Edge/Safari from sending the full URL for same-domain requests but otherwise be the same; it's possible they are not sending it already, per T148780#2891117), or maybe `[ 'origin-when-cross-origin', 'origin-when-crossorigin', 'origin' ]` (if there is still some browser out there which supports the somewhat-less-old version of the spec which did have "Origin When Cross-Origin" but had a typo in the keyword).