strict-origin-when-cross-origin doesn't seem to be supported by Chrome

[mikefrancis]

Using the default config:

$headers = new SecureHeaders();
$headers->apply()

I get the following console error in Chrome:

Failed to set referrer policy: The value 'strict-origin-when-cross-origin' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', or 'unsafe-url'. The referrer policy has been left unchanged.

Not sure if it's just Chrome but this doesn't happen in Firefox.

I've had this problem with CORS stuff before in Chrome and there's usually an extension that someone has used to intercept the URLs, not sure if you know of one?

[aidantwoods]

See: #19
And the chrome bug report (it's now just awaiting a stable release): https://bugs.chromium.org/p/chromium/issues/detail?id=627968

I am curious as to why you're getting that error though, default config should also emit a fallback referrer policy of no-referrer. Chrome shouldn't complain if sees at least one it recognises.

[aidantwoods]

If you're experiencing this through the adapter you're working on? You may need to make sure to pass false as the third param to symfony (to make sure headers with the same name don't replace the previous).

See: https://github.com/symfony/symfony/blob/22f6091bc7bc3a22d60b802693ccbfa37a5fb3a3/src/Symfony/Component/HttpFoundation/HeaderBag.php#L139

[mikefrancis]

Well that was easy! Thanks @aidantwoods - you're right, there was just the one referrer-policy rather than the 2 there is now.

Thanks again!

[aidantwoods]

Maybe I'll write about the HttpAdapter spec in the Wiki 😉

I think multiple headers, and framework cookie jars might be things that'll trip people up unless they deliberately enable certain behaviors.