The Referrer specification from the W3C Web Application Security Working Group gives site authors greater control of the Referer
[sic] request header that browsers automatically send in many cases. For example, we set <meta name="referrer" content="origin">
for pages with sensitive information which instructs the browser to send the origin instead of the full URL. We recently rolled out origin-when-crossorigin
nearly site-wide… or so we thought. @VishnuDfx reported that we forgot to add the tag to our static error pages. While there was no known chained attack leading to the exfiltration of secrets, these error pages may contain sensitive information so we set origin-when-crossorigin
for our static error pages just in case.
Note: origin-when-crossorigin
has been reclassified as origin-when-cross-origin
and may stop working in newer browsers soon.