Avoid unnecessary information leaking about user.
Example:
Embedded image is loaded. The referrer to external resource is:
Referer: https://mail.example.com/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D0&_uid=1445&_mbox=INBOX&_safe=1&_action=show
Leaked information:
At the moment the browser support is good: https://caniuse.com/#feat=referrer-policy .
Yes, older browser ignore the policy.
There are two old and pending pull requests: #5422 #5674 #6038
There are different ways to implement referrer-policy:
There is a missing statement from maintainers which way should be chosen and what should be done to get them merged.
Specification:
https://www.w3.org/TR/referrer-policy/
Old Specification:
https://wiki.whatwg.org/wiki/Meta_referrer
Blog article:
https://scotthelme.co.uk/a-new-security-header-referrer-policy/
edit: add: .htaccess pr, doc
If you review samples in .htaccess file, you'll see it can be done on a different level. No need for a configuration option. I'm not saying we'll not add such an option, but I'd like to see it more robust, see my comment https://github.com/roundcube/roundcubemail/pull/5422#issuecomment-250823993
I took the arguments from https://github.com/roundcube/roundcubemail/pull/5422#issuecomment-250823993 .
- Some users may actually want referrer to work on the login screen. So, maybe better to use this only for authenticated pages.
We could take "same-origin" option, more details see 2.
- We already use noreferrer for links and no one complained, so maybe making this new feature configurable is useless. I propose to always use "no-referrer" value for best privacy.
The "noreferrer" for links only affects external sites, but the referrer-policy affects external and internal sites.
If we put "no-referrer" as default it could brake roundcubes referer_check or other fancy custom check implementations.
I think "same-origin" would be the best solution under backwards compatibility aspects. It would deny the referrer for external sites and keeps a basic referrer for internal sites.
- Some browsers (Edge, Safari) does not support "no-referrer" (and other values), but support "never", it would be good to set the value according to detected browser.
The statistic shows that only 15% use this browsers. Is it worth to program a switch?
As alternative the legacy and the new value can be send as described in https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values . edit: after some research: old browsers struggle with the new values, because they do a different parsing -> does not work :(
- Finally, .htaccess file already contains an example how to do the same with Content-Security-Policy header.
The referrer control by CSP is deprecated. It was part in CSP1.0 but not in the current version.
The commit was created by me 3 years ago as optional settings for experienced users. But 3 years are a long time in web development. I will make a update pull request.
If you review samples in .htaccess file, you'll see it can be done on a different level.
If we want it as default we should not use .htaccess, because it only works on Apache servers and not on nginx.
@alecpl After a lot of research and testing, I got following conclusion:
| Referrer-Policy | meta-html-tag | http-header | Compatible old draft | Works with RC referer_check | Leak to external | Full privacy |
|-------------------|:-------------:|:-----------:|:---------------------:|:---------------------------:|:----------------:|:------------:|
| None setting | - | - | - | - | x | - |
| Same-Origin | - | x | - | x | - | partially |
| No-Referrer | - | x | - | - | - | x |
| Origin | x | - | x | x | partially | - |
| Same-Origin | x | - | - | x | - | partially |
| No-Referrer,Never | x | - | x | - | - | x |
No-Referrer,Never by meta-html-tagreferer_check caused problems #3306 #4221 and is replaced by modern CSRF checkOrigin by meta-html-tagreferer_checkSettings with compatibility to old draft browser for
It is only partially possible to get a complete backwards compatibility to browser which only support the old draft of the specification.
Problem:
Browser with old draft do not ignore unknown values. If they parse a unknown value they reset the referrer policy to default behavior and not as defined in the new standard to the latest valid value.
Tested with IE11:
<meta name="referrer" content="never">
<meta name="referrer" content="no-referrer"> <!-- unknown by IE11-> set policy to default -->
Result: referrer sent :-1:
Tested with IE11:
<meta name="referrer" content="no-referrer"> <!-- unknown by IE11-> set policy to default -->
<meta name="referrer" content="never"> <!-- known ->correctly parsed and set -->
Result: no referrer :+1:
Tested with Firefox61:
<meta name="referrer" content="no-referrer"> <!-- known ->correctly parsed and set -->
<meta name="referrer" content="never"> <!-- unknown -> ignored, referrer policy not changed -->
Result: no referrer :+1:
So, we have #5674, #6477, #5422. We need one solution. Some notes:
same-origin and no meta-tag use.Implemented in 186f21c4c.