Edge does not support latest META REFERRER tokens

Issue #7119603 • Assigned to Travis L.

Details

Author
Eric L.
Created
Apr 5, 2016
Privacy
This issue is public.
Found in
  • Microsoft Edge
Standard affected
Referrer Policy

Found in build #
14.14295
Reports
Reported by 6 people

Sign in to watch or report this issue.

Steps to reproduce

The Referrer Policy specification evolved since its implementation in Edge. As a consequence (and as shown on http://caniuse.com/#search=referrer), Edge lack support for the ‘origin-when-cross-origin’ and ‘unsafe-url’ tokens.
Per the spec: “Note: Authors are encouraged to avoid the legacy keywords never, default, and always. The keywords no-referrer, no-referrer-when-downgrade, and unsafe-url respectively are preferred.”
Test Pages:
https://bayden.com/test/refer/META-Origin-When-Cross-Origin.htm
https://bayden.com/test/refer/META-Unsafe-Url.htm

Attachments

2 attachments

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Travis L.”

  • Current Meta Referrer values supported by Edge:
    default, never, origin, always

    Should be updated to align with W3C Spec Values:
    origin, no-referrer, no-referrer-when-downgrade, origin-when-crossorigin, and unsafe-URL
    *https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-states

    You can repro / check what meta ref is being passed with https://www.whatismyreferer.com/

  • It’s not “Edge” when it’s so far behind.

    This feature should be supported by both and HTTP header Security-Policy: .

  • I would like to add something very important. Edge does not support the referrer-policy attribute either, all the other browsers are fully supporting this: https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery-referrer-attribute - this feature allow setting different referrer policies per element (for example I’d like to pass on the referrer data for some URLs but not for all).

  • IE don’t support this feature now.

  • Security vulnerabilities with Microsoft and non-Microsoft web sites that are mitigated by meta referrer with options from the current spec are not mitigated for users of Edge and IE 11 because Edge and IE 11 are far behind Chrome and Firefox in supporting this spec.

  • All of the following should be supported in Edge and IE11

    no-referrer
    no-referrer-when-downgrade
    origin-when-cross-origin
    same-origin
    strict-origin
    strict-origin-when-cross-origin
    unsafe-url

You need to sign in to your Microsoft account to add a comment.

Sign in