Sending Sec-Fetch-Site: none after redirects from directly user-initiated requests
#39
Comments
|
I do think Chrome's current behavior is pretty reasonable, especially in the somewhat common case of shortlinks. If I type |
|
Sounds reasonable -- let's leave I think @jerryzz0 was considering proposing some spec text to provide a more detailed explanation about the meaning of |
|
I welcome spec text proposals. :) |
|
I added a note to close this out. |
It is clear that we want to set site=
noneon non-webby requests, e.g. initiated from the address bar, bookmarks, etc.It is less clear what we should do upon redirects to such requests, i.e. whether we should still treat them as trusted and set
noneor whether we should follow the usual logic we apply to redirects (which would take into account the original URL, and would downgrade the site value tosame-origin,same-siteorcross-sitedepending on the target of the redirect).The security downside of
noneis that an address bar navigation to a seemingly benign URL (evil.com) will allow the owner of the server to redirect the user to an arbitrary cross-site URL and make the navigation seem trusted. The compatibility downside ofcross-siteis that it would make address bar navigations to redirectors (e.g. shortlinks) appear as untrusted to the target server, which may want to then reject the request.I don't think the security risk is particularly bad here so perhaps the status quo in Chrome (sending site=
none) is the best choice. But we should think about this more explicitly.The text was updated successfully, but these errors were encountered: