Limit `Referer` header's length to 4k - Chrome Platform Status

Limit `Referer` header's length to 4k

Security

Strips the Referer header down to an origin when it's size exceeds 4k.

As noted in https://github.com/xsleaks/xsleaks/wiki/Browser-Side-Channels#cache-and-error-events, servers will often behave in unexpected ways when presented with an overly-long `Referer` header. This is unfortunate, as `Referer` is one header whose length attackers generally retain control over when generating `no-cors` requests.

Documentation

https://github.com/whatwg/fetch/issues/903

Specification

Status in Chromium

Blink components: Blink>SecurityFeature>Referrer

Enabled by default (tracking bug) in:

Chrome for desktop release 77
Chrome for Android release 77
Android WebView release 77

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: Public support
Edge: Public support
Safari: No public signals
Web Developers: No signals

Owner

mkwst@chromium.org

Last updated on 2019-06-07