Chrome team involved with the change in question here (maudnals, cos_theta, rowan_m on Twitter). A few ideas to share, we hope this may help!
@jamesward 's suggestion would fix the problem, but full GitHub URLs would always be leaked in all outgoing cross-origin requests across all of GitHub, which hinders users privacy. Browsers are generally switching to
strict-origin-when-cross-origin as a default for this reason. This also may not be future-proof, in case browsers become more strict and stop sharing full URLs in
Referers in cross-origin requests.
A few ideas/solutions:
[EDIT: not working]
Button users now must include HTML to specify a referrer policy instead of simple markdown.
<a referrerpolicy="no-referrer-when-downgrade" href="https://deploy.cloud.run"><img src="https://deploy.cloud.run/button.svg" alt="Run on Google Cloud"></a>.
=> Example here: https://github.com/maudnals/button-sample/blob/master/README.md
- GH users’ privacy is preserved
- Doable “today/soon”? (would require Heroku/Cloud Run documentation change)
- May not be future-proof, in case browsers become more strict and stop sharing full URLs in
- May not be supported on Safari iOS.
(A variation of this would be update the markdown to support specifying the
Button users (= people that include a Heroku/Cloud Run button on their GH repo) now always need to specify the GH repo. Heroku/Cloud Run scripts never rely on the
- GH users’ privacy is preserved.
- Heroku/Cloud Run/Other tools need to update their systems to not expect a
- For GH users, forking repos that include a Heroku/Cloud Run button requires one more step: changing the repo URL in the Button configuration. This may lead to errors if they forget to do so. Mitigation: Heroku/Cloud Run may update their documentation to include a warning: "When including the button on a GH repo, add a line on your README that says: ‘Change this if you fork this repo!’ ".
- Potentially more future-proof. Not dependent on browser behaviour.
Side note for GitHub: regardless of the solution, applying an explicit privacy-preserving policy of
strict-origin-when-cross-origin globally to
github.com would help it behave predictably. Because if
github.com has no policy at all, it will fall back to the browser default policy i.e.
strict-origin-when-cross-origin or other, depending on the browser - the behaviour won’t be consistent across browsers and will evolve as browser default changes.
maudnals, cos_theta, rowan_m on Twitter