blob: 5f0247b935b78c645f8afc6287d58722b50e3d80 [file] [log] [blame]
{
"specification": [
{
"name": "unset-referrer-policy",
"title": "Referrer Policy is not explicitly defined",
"description": "Check that referrer URL follows no-referrer-when-downgrade policy when no explicit Referrer Policy is set.",
"specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policies",
"referrer_policy": null,
"test_expansion": [
{
"name": "insecure-protocol",
"expansion": "default",
"source_protocol": "http",
"target_protocol": "http",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "stripped-referrer"
},
{
"name": "upgrade-protocol",
"expansion": "default",
"source_protocol": "http",
"target_protocol": "https",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "stripped-referrer"
},
{
"name": "downgrade-protocol",
"expansion": "default",
"source_protocol": "https",
"target_protocol": "http",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "omitted"
},
{
"name": "secure-protocol",
"expansion": "default",
"source_protocol": "https",
"target_protocol": "https",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "stripped-referrer"
}
]
},
{
"name": "no-referrer",
"title": "Referrer Policy is set to 'no-referrer'",
"description": "Check that sub-resource never gets the referrer URL.",
"specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-no-referrer",
"referrer_policy": "no-referrer",
"test_expansion": [
{
"name": "generic",
"expansion": "default",
"source_protocol": "*",
"target_protocol": "*",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "omitted"
}
]
},
{
"name": "no-referrer-when-downgrade",
"title": "Referrer Policy is set to 'no-referrer-when-downgrade'",
"description": "Check that non a priori insecure subresource gets the full Referrer URL. A priori insecure subresource gets no referrer information.",
"specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-no-referrer-when-downgrade",
"referrer_policy": "no-referrer-when-downgrade",
"test_expansion": [
{
"name": "insecure-protocol",
"expansion": "default",
"source_protocol": "http",
"target_protocol": "http",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "stripped-referrer"
},
{
"name": "upgrade-protocol",
"expansion": "default",
"source_protocol": "http",
"target_protocol": "https",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "stripped-referrer"
},
{
"name": "downgrade-protocol",
"expansion": "default",
"source_protocol": "https",
"target_protocol": "http",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "omitted"
},
{
"name": "secure-protocol",
"expansion": "default",
"source_protocol": "https",
"target_protocol": "https",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "stripped-referrer"
}
]
},
{
"name": "origin",
"title": "Referrer Policy is set to 'origin'",
"description": "Check that all subresources in all casses get only the origin portion of the referrer URL.",
"specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-origin",
"referrer_policy": "origin",
"test_expansion": [
{
"name": "generic",
"expansion": "default",
"source_protocol": "*",
"target_protocol": "*",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "origin"
}
]
},
{
"name": "same-origin",
"title": "Referrer Policy is set to 'same-origin'",
"description": "Check that cross-origin subresources get no referrer information and same-origin get the stripped referrer URL.",
"specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin",
"referrer_policy": "same-origin",
"test_expansion": [
{
"name": "same-origin-insecure",
"expansion": "default",
"source_protocol": "http",
"target_protocol": "http",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "same-origin",
"subresource": "*",
"referrer_url": "stripped-referrer"
},
{
"name": "same-origin-secure-default",
"expansion": "default",
"source_protocol": "https",
"target_protocol": "https",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "same-origin",
"subresource": "*",
"referrer_url": "stripped-referrer"
},
{
"name": "same-origin-insecure",
"expansion": "override",
"source_protocol": "*",
"target_protocol": "*",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "swap-origin-redirect",
"origin": "same-origin",
"subresource": "*",
"referrer_url": "omitted"
},
{
"name": "cross-origin",
"expansion": "default",
"source_protocol": "*",
"target_protocol": "*",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "cross-origin",
"subresource": "*",
"referrer_url": "omitted"
}
]
},
{
"name": "origin-when-cross-origin",
"title": "Referrer Policy is set to 'origin-when-cross-origin'",
"description": "Check that cross-origin subresources get the origin portion of the referrer URL and same-origin get the stripped referrer URL.",
"specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-origin-when-cross-origin",
"referrer_policy": "origin-when-cross-origin",
"test_expansion": [
{
"name": "same-origin-insecure",
"expansion": "default",
"source_protocol": "http",
"target_protocol": "http",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "same-origin",
"subresource": "*",
"referrer_url": "stripped-referrer"
},
{
"name": "same-origin-secure-default",
"expansion": "default",
"source_protocol": "https",
"target_protocol": "https",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "same-origin",
"subresource": "*",
"referrer_url": "stripped-referrer"
},
{
"name": "same-origin-upgrade",
"expansion": "default",
"source_protocol": "http",
"target_protocol": "https",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "same-origin",
"subresource": "*",
"referrer_url": "origin"
},
{
"name": "same-origin-downgrade",
"expansion": "default",
"source_protocol": "https",
"target_protocol": "http",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "same-origin",
"subresource": "*",
"referrer_url": "origin"
},
{
"name": "same-origin-insecure",
"expansion": "override",
"source_protocol": "*",
"target_protocol": "*",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "swap-origin-redirect",
"origin": "same-origin",
"subresource": "*",
"referrer_url": "origin"
},
{
"name": "cross-origin",
"expansion": "default",
"source_protocol": "*",
"target_protocol": "*",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "cross-origin",
"subresource": "*",
"referrer_url": "origin"
}
]
},
{
"name": "strict-origin",
"title": "Referrer Policy is set to 'strict-origin'",
"description": "Check that non a priori insecure subresource gets only the origin portion of the referrer URL. A priori insecure subresource gets no referrer information.",
"specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin",
"referrer_policy": "strict-origin",
"test_expansion": [
{
"name": "insecure-protocol",
"expansion": "default",
"source_protocol": "http",
"target_protocol": "http",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "origin"
},
{
"name": "upgrade-protocol",
"expansion": "default",
"source_protocol": "http",
"target_protocol": "https",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "origin"
},
{
"name": "downgrade-protocol",
"expansion": "default",
"source_protocol": "https",
"target_protocol": "http",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "omitted"
},
{
"name": "secure-protocol",
"expansion": "default",
"source_protocol": "https",
"target_protocol": "https",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "origin"
}
]
},
{
"name": "strict-origin-when-cross-origin",
"title": "Referrer Policy is set to 'strict-origin-when-cross-origin'",
"description": "Check that a priori insecure subresource gets no referrer information. Otherwise, cross-origin subresources get the origin portion of the referrer URL and same-origin get the stripped referrer URL.",
"specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin-when-cross-origin",
"referrer_policy": "strict-origin-when-cross-origin",
"test_expansion": [
{
"name": "same-insecure",
"expansion": "default",
"source_protocol": "http",
"target_protocol": "http",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "same-origin",
"subresource": "*",
"referrer_url": "stripped-referrer"
},
{
"name": "same-insecure",
"expansion": "override",
"source_protocol": "http",
"target_protocol": "http",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "swap-origin-redirect",
"origin": "same-origin",
"subresource": "*",
"referrer_url": "origin"
},
{
"name": "cross-insecure",
"expansion": "default",
"source_protocol": "http",
"target_protocol": "http",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "cross-origin",
"subresource": "*",
"referrer_url": "origin"
},
{
"name": "upgrade-protocol",
"expansion": "default",
"source_protocol": "http",
"target_protocol": "https",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "origin"
},
{
"name": "downgrade-protocol",
"expansion": "default",
"source_protocol": "https",
"target_protocol": "http",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "omitted"
},
{
"name": "same-secure",
"expansion": "default",
"source_protocol": "https",
"target_protocol": "https",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "same-origin",
"subresource": "*",
"referrer_url": "stripped-referrer"
},
{
"name": "same-secure",
"expansion": "override",
"source_protocol": "https",
"target_protocol": "https",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "swap-origin-redirect",
"origin": "same-origin",
"subresource": "*",
"referrer_url": "origin"
},
{
"name": "cross-secure",
"expansion": "default",
"source_protocol": "https",
"target_protocol": "https",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "cross-origin",
"subresource": "*",
"referrer_url": "origin"
}
]
},
{
"name": "unsafe-url",
"title": "Referrer Policy is set to 'unsafe-url'",
"description": "Check that all sub-resources get the stripped referrer URL.",
"specification_url": "https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-unsafe-url",
"referrer_policy": "unsafe-url",
"test_expansion": [
{
"name": "generic",
"expansion": "default",
"source_protocol": "*",
"target_protocol": "*",
"delivery_method": ["http-rp", "meta-referrer", "attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "stripped-referrer"
}
]
}
],
"excluded_tests":[
{
"name": "cross-origin-workers",
"expansion": "*",
"source_protocol": "*",
"target_protocol": "*",
"redirection": "*",
"delivery_method": "*",
"origin": "cross-origin",
"subresource": [
"worker-request",
"module-worker",
"shared-worker"
],
"referrer_url": "*"
},
{
"name": "upgraded-protocol-workers",
"expansion": "*",
"source_protocol": "http",
"target_protocol": "https",
"delivery_method": "*",
"redirection": "*",
"origin": "*",
"subresource": [
"worker-request",
"module-worker",
"shared-worker"
],
"referrer_url": "*"
},
{
"name": "mixed-content-insecure-subresources",
"expansion": "*",
"source_protocol": "https",
"target_protocol": "http",
"delivery_method": "*",
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "*"
},
{
"name": "elements-not-supporting-attr-referrer",
"expansion": "*",
"source_protocol": "*",
"target_protocol": "*",
"delivery_method": ["attr-referrer"],
"redirection": "*",
"origin": "*",
"subresource": [
"xhr-request",
"worker-request",
"module-worker",
"shared-worker",
"fetch-request"
],
"referrer_url": "*"
},
{
"name": "elements-not-supporting-rel-noreferrer",
"expansion": "*",
"source_protocol": "*",
"target_protocol": "*",
"delivery_method": ["rel-noreferrer"],
"redirection": "*",
"origin": "*",
"subresource": [
"iframe-tag",
"img-tag",
"script-tag",
"xhr-request",
"worker-request",
"module-worker",
"shared-worker",
"fetch-request",
"area-tag"
],
"referrer_url": "*"
},
{
"name": "area-tag",
"expansion": "*",
"source_protocol": "*",
"target_protocol": "*",
"delivery_method": "*",
"redirection": "*",
"origin": "*",
"subresource": "area-tag",
"referrer_url": "*"
},
{
"name": "worker-requests-with-swap-origin-redirect",
"expansion": "*",
"source_protocol": "*",
"target_protocol": "*",
"delivery_method": "*",
"redirection": "swap-origin-redirect",
"origin": "*",
"subresource": [
"worker-request",
"module-worker",
"shared-worker"
],
"referrer_url": "*"
},
{
"name": "overhead-for-redirection",
"expansion": "*",
"source_protocol": "*",
"target_protocol": "*",
"delivery_method": "*",
"redirection": ["keep-origin-redirect", "swap-origin-redirect"],
"origin": "*",
"subresource": ["a-tag", "area-tag"],
"referrer_url": "*"
},
{
"name": "source-https-unsupported-by-web-platform-tests-runners",
"expansion": "*",
"source_protocol": "https",
"target_protocol": "*",
"delivery_method": "*",
"redirection": "*",
"origin": "*",
"subresource": "*",
"referrer_url": "*"
}
],
"referrer_policy_schema": [
null,
"no-referrer",
"no-referrer-when-downgrade",
"same-origin",
"origin",
"origin-when-cross-origin",
"strict-origin",
"strict-origin-when-cross-origin",
"unsafe-url"
],
"test_expansion_schema": {
"expansion": [
"default",
"override"
],
"delivery_method": [
"http-rp",
"meta-referrer",
"attr-referrer",
"rel-noreferrer"
],
"origin": [
"same-origin",
"cross-origin"
],
"source_protocol": [
"http",
"https"
],
"target_protocol": [
"http",
"https"
],
"redirection": [
"no-redirect",
"keep-origin-redirect",
"swap-origin-redirect"
],
"subresource": [
"iframe-tag",
"img-tag",
"script-tag",
"a-tag",
"area-tag",
"xhr-request",
"worker-request",
"module-worker",
"shared-worker",
"fetch-request"
],
"referrer_url": [
"omitted",
"origin",
"stripped-referrer"
]
}
}