Conversation

This Tweet was deleted by the Tweet author. Learn more

Replying to

I think the right default is no-referrer. Sec-Fetch-Site exists for security use cases. If you wanted to do it across origins, same-origin wouldn't work anyway. If people want data for analytics, they should need to explicitly enable it and browsers shouldn't necessarily listen.

3:16 PM · Mar 25, 2021Twitter Web App

Replying to

and

If it was up to me, browser HTTP/2 would have started implying secure defaults for security settings. HTTP/3 would be advancing further. Missed opportunities. Other than CSP navigate-to, most things should be same-origin only by default. Require opting into breaking that down.