Limit `Referer` header's length to 4k

Strips the Referer header down to an origin when it's size exceeds 4k.

As noted in, servers will often behave in unexpected ways when presented with an overly-long `Referer` header. This is unfortunate, as `Referer` is one header whose length attackers generally retain control over when generating `no-cors` requests.



Editor's draft

Status in Chromium


Enabled by default (tracking bug) in:

  • Chrome for desktop release 77
  • Chrome for Android release 77
  • Android WebView release 77

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.


Last updated on 2019-06-07