I wanted to explicitly define the referrer-policy as "strict-origin-when-cross-origin" in my web application. However, "strict-origin-when-cross-origin" is the browser's default policy when no referrer-policy is set explicitly. This is followed in almost all the major browsers such as chrome, firefox because it is a secured referrer-policy. Since the browser already has the secured default policy, do I still need to explicitly define the referrer-policy as an additional layer of security? Does it help in any way or just the browser's default policy would be sufficient?
Asked
Active
Viewed 164 times
1 Answers
1
Indeed, it's a best practice to set referrer-policy explicitly though the browsers' default to it. There are many scenarios where you can't guarantee strict-origin-when-cross-origin:
If users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
- Referrer policy precedence overriding
In some edge cases where referrer policy is set at page or element level, the browser's enforcement of policy is dependent on the position of the <head> tag, and can bypass policy enforcement if it's the resources links are referenced above the <head> tag, as found out in GitHub's gist bug.
Deepak Devanand
- 64
- 5