“Unlike other browsers, Chrome resolves the Link header on subresource requests. But what’s the problem? The issue is that the Link header can set a referrer-policy. We can specify unsafe-url and capture the full query parameters,” he wrote.
Link headers are used by websites to tell a browser about important page resources, for example, images, that it should preload. As part of the HTTP response that happens before the browser encounters any HTML, this accelerates response times. When the browser goes hunting for the resource, usually on a third-party server, it transmits a URL containing information about the requesting site, as allowed by the referrer-policy.
Unfortunately, in Chrome this URL can also include information with a bearing on security, such as OAuth flows used for authentication.
Read the full article here
