CSP report referrer should adhere to referrer policy

[imolorhe-stripe]

I'm going through the CSP spec and trying to understand the treatment for the referrer field, and it doesn't seem to mention anything about adhering to the referrer policy of the page.

From logs, it appears chrome doesn't follow the referrer policy and adds the full referrer in the violation (including path and query parameters) even if the resource and referrer are cross origin. It also does the same thing if the CSP report endpoint is in a different origin as well.

[annevk]

I don't think this is correct. The referrer field of a violation report is essentially a copy of the document's referrer.

So when a user navigates from A to B by clicking a link and B has a Referrer-Policy and sends a violation report of some kind, the violation report would include some information about A (which itself has been subject to A's Referrer-Policy). And the Referer header of the violation report itself would be subject to B's Referrer-Policy.