Hi there,
Chrome team involved with the change in question here (maudnals, cos_theta, rowan_m on Twitter). A few ideas to share, we hope this may help!
@jamesward 's suggestion would fix the problem, but full GitHub URLs would always be leaked in all outgoing cross-origin requests across all of GitHub, which hinders users privacy. Browsers are generally switching to strict-origin-when-cross-origin
as a default for this reason. This also may not be future-proof, in case browsers become more strict and stop sharing full URLs in Referer
s in cross-origin requests.
A few ideas/solutions:
Solution 1
[EDIT: not working]
Button users now must include HTML to specify a referrer policy instead of simple markdown. <a referrerpolicy="no-referrer-when-downgrade" href="https://deploy.cloud.run"><img src="https://deploy.cloud.run/button.svg" alt="Run on Google Cloud"></a>
.
=> Example here: https://github.com/maudnals/button-sample/blob/master/README.md
Pros:
- GH usersâ privacy is preserved
- Doable âtoday/soonâ? (would require Heroku/Cloud Run documentation change)
Cons:
- May not be future-proof, in case browsers become more strict and stop sharing full URLs in
Referer
cross-origin.
- May not be supported on Safari iOS.
(A variation of this would be update the markdown to support specifying the referrerpolicy
attribute.)
Solution 2
Button users (= people that include a Heroku/Cloud Run button on their GH repo) now always need to specify the GH repo. Heroku/Cloud Run scripts never rely on the Referer
anymore.
Pros:
- GH usersâ privacy is preserved.
Cons:
- Heroku/Cloud Run/Other tools need to update their systems to not expect a
Referer
.
- For GH users, forking repos that include a Heroku/Cloud Run button requires one more step: changing the repo URL in the Button configuration. This may lead to errors if they forget to do so. Mitigation: Heroku/Cloud Run may update their documentation to include a warning: "When including the button on a GH repo, add a line on your README that says: âChange this if you fork this repo!â ".
- Potentially more future-proof. Not dependent on browser behaviour.
Side note for GitHub: regardless of the solution, applying an explicit privacy-preserving policy of strict-origin-when-cross-origin
globally to github.com
would help it behave predictably. Because if github.com
has no policy at all, it will fall back to the browser default policy i.e. strict-origin-when-cross-origin
or other, depending on the browser - the behaviour wonât be consistent across browsers and will evolve as browser default changes.
maudnals, cos_theta, rowan_m on Twitter