Re: Intent to implement and ship: Limit the length of Referer header to 4k

2019-07-02 Thread Panos Astithas 
On Tue, Jul 2, 2019 at 6:16 AM Thomas Nguyen  wrote:

> DevTools bug: No
>

 Wouldn't it be helpful to indicate such truncation in the console (as a
warning) or network panel (with a request badge)? I can imagine developers
being confused about why the referrer header is not what they expect it to
be.

Panos
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Intent to implement and ship: Limit the length of Referer header to 4k

2019-07-02 Thread Thomas Nguyen 
Summary:

Servers often reject requests entailing an overly long `Referer` header.
Additionally, attackers can retain control over the header on `no-cors`
requests and force an error when fetching a subresource which allows them
to perform cache probing attacks by looking at the error event of the
request.

To compensate, we plan to strip down the Referrer URL to the origin if the
`Referer` header's value exceeds 4k. If the origin of Referrer still
exceeds 4k, then completely remove the Referrer Header.

More details:

https://github.com/xsleaks/xsleaks/wiki/Browser-Side-Channels#cache-and-error-events
,


Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1557346

Link to standard:

https://github.com/w3c/webappsec-referrer-policy/pull/122

https://github.com/whatwg/fetch/issues/903

Platform coverage: All platforms.

Estimated or target release: 70

Is this feature enabled by default in sandboxed iframes? Yes.

DevTools bug: No

Do other browser engines implement this? Chromium:

https://www.chromestatus.com/features/5648956820291584

Is this feature restricted to secure contexts? No.

Web-platform-tests:
https://github.com/web-platform-tests/wpt/blob/master/referrer-policy/generic/referrer-policy-test-case.sub.js

-- 
Best regards,

=
Thomas Nguyen
IRC : tngu...@irc.mozilla.com
Slack: tnguyen
Email: tngu...@mozilla.com
=
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform