Strips the Referer header down to an origin when it's size exceeds 4k.
Motivation
As noted in https://github.com/xsleaks/xsleaks/wiki/Browser-Side-Channels#cache-and-error-events, servers will often behave in unexpected ways when presented with an overly-long `Referer` header. This is unfortunate, as `Referer` is one header whose length attackers generally retain control over when generating `no-cors` requests.
Documentation
Specification
Status in Chromium
Blink>SecurityFeature>Referrer
Enabled by default (tracking bug) in:
- Chrome for desktop release 77
- Chrome for Android release 77
- Android WebView release 77
Consensus & Standardization
After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.
Owner
Last updated on 2020-12-21