← Back to release summary

Limit `Referer` header's length to 4k

Category

Security

Type

New or changed feature

Status

Enabled by default (Chrome 77)

Intent stage

Evaluate readiness to ship

Summary

Strips the Referer header down to an origin when it's size exceeds 4k.

Motivation

As noted in https://github.com/xsleaks/xsleaks/wiki/Browser-Side-Channels#cache-and-error-events, servers will often behave in unexpected ways when presented with an overly-long `Referer` header. This is unfortunate, as `Referer` is one header whose length attackers generally retain control over when generating `no-cors` requests.

Standards & signals

• Specification: https://github.com/w3c/webappsec-referrer-policy/pull/122
• Firefox: Positive
• Safari: No signal
• Web developers: No signals
• Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=959757

Docs: https://github.com/whatwg/fetch/issues/903

Explainers: https://github.com/whatwg/fetch/issues/903

View on chromestatus.com