Outdated referrer-policy fallback
sauravhiremath opened this issue · comments
The referrer-policy fallback is no-referrer
in the helmet project (codebase-link).
But the latest docs have updated the fallback to strict-origin-when-cross-origin
.
Source - https://w3c.github.io/webappsec-referrer-policy/#default-referrer-policy
I can work on the fix if the changes are approved
I'll take a look at this. It's probably a breaking change, too, so we should keep that in mind.
I took a look at this, and I don't think we want to do this.
Helmet's defaults aren't necessarily the defaults in the spec. no-referrer
preserves privacy a bit better than strict-origin-when-cross-origin
, which is why I selected it for Helmet's default. In other words, it doesn't matter what the spec says.
Does that make sense? What do you think?
I'm going to close this issue because I don't think there's more to do here. Let me know if that's wrong and I'm happy to reopen.