Page MenuHomePhabricator
Create Task
Maniphest T293109

Firefox: Referrer Policy: Less restricted policies, including ‘no-referrer-when-downgrade’, ‘origin-when-cross-origin’ and ‘unsafe-url’, will be ignored soon for the cross-site request
Open, Needs TriagePublicBUG REPORT
Actions

Description

List of steps to reproduce (step by step, including full links if applicable):

What happens?:
For every cross-origin request, Firefox prints an Info-level message:

Referrer Policy: Less restricted policies, including ‘no-referrer-when-downgrade’, ‘origin-when-cross-origin’ and ‘unsafe-url’, will be ignored soon for the cross-site request: https://upload.wikimedia.org/wikipedia/commons/thumb/9/90/Quileute_Net_Fishing_TFA.jpg/121px-Quileute_Net_Fishing_TFA.jpg 121px-Quileute_Net_Fishing_TFA.jpg

The page has the following referrer meta tags:

<meta name="referrer" content="origin">
<meta name="referrer" content="origin-when-crossorigin">
<meta name="referrer" content="origin-when-cross-origin">

Firefox applies the origin-when-cross-origin policy to the requests.

What should have happened instead?:
We should not set a referrer policy that will be ignored.

Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc:

  • firefox 93.0-1 on Arch Linux

See also:

Related Objects

Event Timeline

AntiCompositeNumber created this task.Oct 12 2021, 4:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 12 2021, 4:06 PM
AntiCompositeNumber added a comment.Oct 12 2021, 4:12 PM

Per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy Firefox considers the default to be strict-origin-when-cross-origin.

Maintenance_bot added a project: SRE.Oct 12 2021, 4:45 PM
AntiCompositeNumber mentioned this in T261803: Requests for /static get an invalid WMF-Last-Access cookie for wikipedia.org on non-Wikipedia requests.Oct 18 2021, 2:56 AM
Krinkle added subscribers: Bawolff, TheDJ.Nov 2 2021, 8:54 PM
Krinkle subscribed.
MatthewVernon removed a project: SRE.Dec 14 2021, 2:56 PM
Seb35 subscribed.Dec 19 2023, 8:41 PM

Firefox enforces strict-origin-when-cross-origin since Firefox 93 (released in October 2021) when Tracking Protection is enabled. The user can disable it per-site (click on the shield in the address bar) and in this case these logs disappear in the console.

Seeing the issues where some browsers misinterpreted some values and even the fallback mechanism (T180921), any change should be properly evaluated to stay compatible with main browsers, even if Firefox is complaining.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits