Make the Origin header honor Referrer Policy (outside of CORS)

Tests: web-platform-tests/wpt#14260.
whatwg · Jun 27, 2019 · cc80ec5 · cc80ec5
1 parent 4dcfe90
commit cc80ec5
Showing 1 changed file with 54 additions and 5 deletions.
diff --git a/fetch.bs b/fetch.bs
@@ -2359,6 +2359,58 @@ origin                           = <a for=url>scheme</a> "://" <a for=url>host</
 <a for=/>header</a>.
 [[ORIGIN]]
 
+<hr>
+
+<p>To <dfn id=append-a-request-origin-header>append a request `<code>Origin</code>` header</dfn>,
+given a <a for=/>request</a> <var>request</var> with an optional <i>CORS flag</i>, run these steps:
+
+<ol>
+ <li><p>Let <var>serializedOrigin</var> be the result of <a>serializing a request origin</a> with
+ <var>request</var>.
+
+ <li><p>If the <i>CORS flag</i> is set or <var>request</var>'s <a for=request>mode</a> is
+ "<code>websocket</code>", then <a for="header list">append</a>
+ `<code>Origin</code>`/<var>serializedOrigin</var> to <var>request</var>'s
+ <a for=request>header list</a>.
+
+ <li>
+  <p>Otherwise, if <var>request</var>'s <a for=request>method</a> is neither `<code>GET</code>` nor
+  `<code>HEAD</code>`, then:
+
+  <ol>
+   <li>
+    <p>Switch on <var>request</var>'s <a for=request>referrer policy</a>:
+
+    <dl class=switch>
+     <dt>"<code>no-referrer</code>"
+     <dd><p>Set <var>serializedOrigin</var> to `<code>null</code>`.
+
+     <dt>"<code>no-referrer-when-downgrade</code>"
+     <dt>"<code>strict-origin</code>"
+     <dt>"<code>strict-origin-when-cross-origin</code>"
+     <dd><p>If <var>request</var>'s <a for=request>origin</a> is a <a>tuple origin</a>, its
+     <var>scheme</var> is "<code>https</code>", and <var>request</var>'s
+     <a for=request>current URL</a>'s <var>scheme</var> is not "<code>https</code>", then set
+     <var>serializedOrigin</var> to `<code>null</code>`.
+
+     <dt>"<code>same-origin</code>"
+     <dd><p>If <var>request</var>'s <a for=request>origin</a> is not <a>same origin</a> with
+     <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>, then set
+     <var>serializedOrigin</var> to `<code>null</code>`.
+
+     <dt>Otherwise
+     <dd>Do nothing.
+    </dl>
+
+   <li><p><a for="header list">Append</a> `<code>Origin</code>`/<var>serializedOrigin</var> to
+   <var>request</var>'s <a for=request>header list</a>.
+  </ol>
+</ol>
+
+<p class=note>A <a for=/>request</a>'s <a for=request>referrer policy</a> is taken into account for
+all fetches where the fetcher did not explicitly opt into sharing their <a for=/>origin</a> with the
+server, e.g., via using the <a>CORS protocol</a>.
+
 
 <h3 id=http-cors-protocol>CORS protocol</h3>
 
@@ -4068,11 +4120,8 @@ Range Requests</cite>. [[HTTP-RANGE]] However, this is not widely supported by b
    <a for=request>referrer</a>, <a lt="url serializer">serialized</a> and <a>isomorphic encoded</a>,
    to <var>httpRequest</var>'s <a for=request>header list</a>.
 
-   <li><p>If the <i>CORS flag</i> is set, <var>httpRequest</var>'s <a for=request>method</a> is
-   neither `<code>GET</code>` nor `<code>HEAD</code>`, or <var>httpRequest</var>'s
-   <a for=request>mode</a> is "<code>websocket</code>", then <a for="header list">append</a>
-   `<code>Origin</code>`/the result of <a>serializing a request origin</a> with
-   <var>httpRequest</var>, to <var>httpRequest</var>'s <a for=request>header list</a>.
+   <li><p><a>Append a request `<code>Origin</code>` header</a> for <var>httpRequest</var> with the
+   <i>CORS flag</i> if set.
 
    <li><p>If <var>httpRequest</var>'s <a for=request>header list</a>
    <a for="header list">does not contain</a> `<code>User-Agent</code>`, then user agents should