network.http.referer.disallowCrossSiteRelaxingDefault not working
a website im using is trin to call an api with referer header and policy of "origin-when-cross-origin", but firefox overides it to "Same Origin Policy" with console msg: Referrer Policy: Less restricted policies, including ‘no-referrer-when-downgrade’, ‘origin-when-cross-origin’ and ‘unsafe-url’, will be ignored soon for the cross-site request
After a lot of search, i found that network.http.referer.disallowCrossSiteRelaxingDefault config setting should be set to false to allow any policy, but toggling between false or true has no affect. The request still fails with a cors error "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at..."
Is there a way to make this work? Or a way to allow the request to have this referer policy.
Tất cả các câu trả lời (1)
Hmm, the way I read this --
reliancesaransh said
console msg: Referrer Policy: Less restricted policies, including ‘no-referrer-when-downgrade’, ‘origin-when-cross-origin’ and ‘unsafe-url’, will be ignored soon for the cross-site request
-- it is a warning about a change coming in the future, and not what just happened in real time.
When I briefly consult the source code, you should only see the warning when the preference relevant for the context (regular window or private window) is set to false:
- network.http.referer.disallowCrossSiteRelaxingDefault
- network.http.referer.disallowCrossSiteRelaxingDefault.pbmode
https://searchfox.org/mozilla-release/source/dom/security/ReferrerInfo.cpp#775
Are there any other messages in the console which might get us closer to understanding the source of the problem?
If you switch to the Network panel (Command+Alt+E) and then try the request again, do you get any unexpected status codes on the responses?
Does it make any difference if you disable Tracking Protection on the site? Click the shield icon at the left end of the address bar (next to the lock icon) and then click the slider switch at the top of the drop-down panel.