Intent to Ship: Modulepreload Referrer Header Fix

392 views
Skip to first unread message

Chromestatus

unread,
May 13, 2025, 4:11:00 PM May 13
to blin...@chromium.org, hjanu...@gmail.com

Contact emails

hjanu...@gmail.com

Explainer

None

Specification

https://html.spec.whatwg.org/multipage/links.html#link-type-modulepreload:script-fetch-options

Summary

Fixes modulepreload to properly send referrer headers by using ClientReferrerString() instead of NoReferrer(). This aligns Chrome with the HTML specification which requires using the client's referrer for module fetches. Includes WPT test verifying both dynamic imports and modulepreload correctly send referrer headers.



Blink component

Blink>Loader>Preload

TAG review

None

TAG review status

Not applicable

Risks



Interoperability and Compatibility

The primary risk is that some servers may have adapted to Chrome's non-standard behavior, implementing logic that assumes modulepreload requests will never include referrer headers. These systems could potentially mishandle or reject requests with the newly added referrer information. However, this risk is mitigated by the fact that other major browsers already implement the correct behavior, meaning most cross-browser web applications should already handle referrer headers properly. Additionally, since modulepreload is a relatively recent feature, widespread dependence on the incorrect behavior is unlikely. The benefit of standards compliance and consistent behavior across script loading methods outweighs these potential compatibility concerns.



Gecko : Shipped/Shipping

WebKit : Shipped/Shipping

Web developers : No signals

Other signals :

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

No

Is this feature fully tested by web-platform-tests ?

No

Flag name on about://flags

None

Finch feature name

None

Non-finch justification

None

Rollout plan

Will ship enabled for all users

Requires code in //chrome?

False

Tracking bug

https://crbug.com/409959472

Estimated milestones

No milestones specified



Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5144463990849536?gate=4969922291302400

This intent message was generated by Chrome Platform Status .

Domenic Denicola

unread,
May 14, 2025, 12:51:51 AM May 14
to Chromestatus, blin...@chromium.org, hjanu...@gmail.com
On Wed, May 14, 2025 at 5:10 AM Chromestatus < ad...@cr-status.appspotmail.com > wrote:

Contact emails

hjanu...@gmail.com

Explainer

None

Specification

https://html.spec.whatwg.org/multipage/links.html#link-type-modulepreload:script-fetch-options

Summary

Fixes modulepreload to properly send referrer headers by using ClientReferrerString() instead of NoReferrer(). This aligns Chrome with the HTML specification which requires using the client's referrer for module fetches. Includes WPT test verifying both dynamic imports and modulepreload correctly send referrer headers.


Can you update this to talk about what effects web developers see, instead of using the names of Chromium-codebase functions? This summary will be reflected to web developer-facing blog posts and such.


Blink component

Blink>Loader>Preload

TAG review

None

TAG review status

Not applicable

Risks



Interoperability and Compatibility

The primary risk is that some servers may have adapted to Chrome's non-standard behavior, implementing logic that assumes modulepreload requests will never include referrer headers. These systems could potentially mishandle or reject requests with the newly added referrer information. However, this risk is mitigated by the fact that other major browsers already implement the correct behavior, meaning most cross-browser web applications should already handle referrer headers properly. Additionally, since modulepreload is a relatively recent feature, widespread dependence on the incorrect behavior is unlikely. The benefit of standards compliance and consistent behavior across script loading methods outweighs these potential compatibility concerns.



Gecko : Shipped/Shipping

WebKit : Shipped/Shipping

Web developers : No signals

Other signals :

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

No

Is this feature fully tested by web-platform-tests ?

No

Above you said there were WPTs, but here you say there are not. Which is correct? If there are such tests, can you provide links to them?


Flag name on about://flags

None

Finch feature name

None

Non-finch justification

None

Either a Finch feature name or (rarely) a non-Finch justification is necessary for any possibly-breaking change like this.


Rollout plan

Will ship enabled for all users

Requires code in //chrome?

False

Tracking bug

https://crbug.com/409959472

Estimated milestones

No milestones specified



Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5144463990849536?gate=4969922291302400

This intent message was generated by Chrome Platform Status .
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org .
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6823a747.050a0220.624fd.01b3.GAE%40google.com .

Chris Harrelson

unread,
May 14, 2025, 11:13:58 AM May 14
to Domenic Denicola, Chromestatus, blin...@chromium.org, hjanu...@gmail.com
Please also fill out the Privacy, Security, Enterprise, Debuggability and Testing sections in the chromestatus entry.

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra-BywrbKFHpjkM-SVespzLEesezHZSkn9S_vy1UrWXKjQ%40mail.gmail.com .

Helmut Januschka

unread,
Aug 27, 2025, 12:58:29 PM (11 days ago)  Aug 27
to blink-dev, Chris Harrelson, Chromestatus, blin...@chromium.org, Helmut Januschka, dom...@chromium.org
Hi all,

I mistakenly landed the [CL]( https://chromium-review.googlesource.com/c/chromium/src/+/6509110 ) in M140 before getting the intent to ship approved. My apologies for that.


I'd appreciate guidance on how to proceed, given that.
One way to go would be to keep the CL landed, and get your approvals (and the approval of the various checks retroactively).
Another would be to revert the CL and try to merge-back that revert to 140 (allthough stable cut was yesterday :'( ).

Please let me know which way you prefer to go.

Thanks,

Mike Taylor

unread,
Aug 28, 2025, 10:54:45 AM (10 days ago)  Aug 28
to Helmut Januschka, blink-dev, Chris Harrelson, Chromestatus, dom...@chromium.org, Srinivas Sista, Krishna Govind

Hey Helmut,

Oops. It's unfortunate that this feature is missing Privacy, Security, Enterprise, Debuggability & Testing reviews (per Chris' request back in May)... but I think more concerning is the fact that it's not guarded behind a feature flag. If we do end up breaking some sites (the risk seems pretty low, I think... but not zero, and sometimes it takes a few months for subtle bugs to be understood), we don't have an easy way to disable this besides merges and a Stable respin. My instinct would be to revert the CL on trunk and get that merged to 141 Beta ASAP. Adding M140 release owners Srinivas and Krishna for their guidance on what to do for the stable release (maybe nothing is the right answer - it doesn't seem like an emergency right now).

You could then re-land the feature behind a disabled-by-default flag, and work through the normal reviews process.

(There are also unanswered questions from Chris that would help API OWNERs review the feature - can you answer those and kick off the reviews in the chromestatus entry?)

thanks,Mike

Mike Taylor

unread,
Aug 28, 2025, 11:40:10 AM (10 days ago)  Aug 28
to Helmut Januschka, blink-dev, Chris Harrelson, Chromestatus, dom...@chromium.org, Srinivas Sista, Krishna Govind

Thanks Helmet - please don't be too hard on yourself. We've all been there. :)

For now, I would recommend getting the revert landed and requesting a merge into beta. Thanks for requesting the other reviews.

On 8/28/25 5:36 p.m., Helmut Januschka wrote:
again, super sorry, this might be the single worst chromium day i had since my first contribution.
tried to fillout everything in chromestatus entry, and request all the reviews again.

a revert CL is here:  https://chromium-review.googlesource.com/c/chromium/src/+/6895357 ready to review/submit.

just a note, about potential breakage, the WPT's i added, did pass on other browsers already (that should be no excuse; but might be a hint of a hopefully non-nuclear blast radius)

please feel free - to let me know what the next steps are, i am fully committed to do whatever is necessary to turn this situation into a positive state.

Krishna Govind

unread,
Aug 28, 2025, 12:22:08 PM (10 days ago)  Aug 28
to Mike Taylor, Helmut Januschka, blink-dev, Chris Harrelson, Chromestatus, dom...@chromium.org, Srinivas Sista
Hi Mike,

Thank you for including Srinivas and me in this discussion.

Since M140 was released to early stable yesterday with this feature enabled by default and without all necessary approvals, it's critical that we merge the revert to M140 and recut the M140 Stable RC for release on Tuesday, September 2nd.

 I request that the revert be landed to trunk as soon as possible: [ https://chromium-review.googlesource.com/c/chromium/src/+/6895357 ]

I have a few questions for clarity:

  • Is this feature applicable only to Windows? I'm asking because it's listed under the Blink component, but the bug only has OS=Windows applied: [ https://g-issues.chromium.org/issues/409959472 ]. 
  • How safe is it to disable this feature this late in the M140 release cycle?
    • The enabled-by-default CL landed on July 12th in Canary 140.0.7309.0, and we branched M140 (7339) on August 4th. 
  • Do we have any coverage at all with this feature disabled?
  • Please provide a launch bug for this feature. 
We will need to create an IRM and request a postmortem for this.

@Srinivas Sista  for his input as well. 


Thank you,
Krishna

Krishna Govind

unread,
Aug 28, 2025, 12:26:35 PM (10 days ago)  Aug 28
to Mike Taylor, Ben Mason, Helmut Januschka, blink-dev, Chris Harrelson, Chromestatus, dom...@chromium.org, Srinivas Sista
+Ben Mason  for awareness and visibility

Helmut Januschka

unread,
Aug 28, 2025, 3:10:56 PM (10 days ago)  Aug 28
to blink-dev, Krishna Govind, Helmut Januschka, blink-dev, Chris Harrelson, Chromestatus, dom...@chromium.org, Srinivas Sista, mike...@chromium.org, Ben Mason
revert landet!

the post mortem from my side: totally my fault, i saw the CR+1's and the Submit button, forgot about the not finished chromestatus feature entry
Message has been deleted

Yoav Weiss (@Shopify)

unread,
Aug 28, 2025, 3:38:10 PM (10 days ago)  Aug 28
to Krishna Govind, Mike Taylor, Helmut Januschka, blink-dev, Chris Harrelson, Chromestatus, dom...@chromium.org, Srinivas Sista
On Thu, Aug 28, 2025 at 6:21 PM 'Krishna Govind' via blink-dev < blin...@chromium.org > wrote:
Hi Mike,

Thank you for including Srinivas and me in this discussion.

Since M140 was released to early stable yesterday with this feature enabled by default and without all necessary approvals, it's critical that we merge the revert to M140 and recut the M140 Stable RC for release on Tuesday, September 2nd.

 I request that the revert be landed to trunk as soon as possible: [ https://chromium-review.googlesource.com/c/chromium/src/+/6895357 ]

I have a few questions for clarity:

I believe the feature is applicable to all OSes beyond iOS. 
  • How safe is it to disable this feature this late in the M140 release cycle?
    • The enabled-by-default CL landed on July 12th in Canary 140.0.7309.0, and we branched M140 (7339) on August 4th. 
I believe it's safe to disable. 
  • Do we have any coverage at all with this feature disabled?
In terms of tests I believe the CL's revert also removes the relevant WPTs. 

  • Please provide a launch bug for this feature. 

Yoav Weiss (@Shopify)

unread,
Aug 28, 2025, 3:46:27 PM (10 days ago)  Aug 28
to Krishna Govind, Mike Taylor, Helmut Januschka, blink-dev, Chris Harrelson, Chromestatus, dom...@chromium.org, Srinivas Sista

Krishna Govind

unread,
Aug 28, 2025, 4:26:13 PM (10 days ago)  Aug 28
to Yoav Weiss (@Shopify), Daniel Cheng, Mike Taylor, Helmut Januschka, blink-dev, Chris Harrelson, Chromestatus, dom...@chromium.org, Srinivas Sista
Thank you, any impact on Android Webview? Will it be safe to merge the revert?

Merged the revert to latest canary branch 7381 and triggered a new canary #141.0.7381.3, please verify once available, will approve M140 merge after canary coverage/verification.
Updated the bugs:
Adding  @Daniel Cheng  as well for context

Thank you,
Krishna



Yoav Weiss (@Shopify)

unread,
Aug 28, 2025, 11:40:48 PM (10 days ago)  Aug 28
to Krishna Govind, Daniel Cheng, Mike Taylor, Helmut Januschka, blink-dev, Chris Harrelson, Chromestatus, dom...@chromium.org, Srinivas Sista
On Thu, Aug 28, 2025 at 10:25 PM Krishna Govind < gov...@google.com > wrote:
Thank you, any impact on Android Webview? Will it be safe to merge the revert?

Yeah, it will impact Android WebViews as well. (but is safe to merge)

Helmut Januschka

unread,
Sep 2, 2025, 5:00:20 AM (5 days ago)  Sep 2
to blink-dev, yoav...@chromium.org, Daniel Cheng, mike...@chromium.org, Helmut Januschka, blink-dev, Chris Harrelson, Chromestatus, dom...@chromium.org, Srinivas Sista, Krishna Govind
the revert was back-merged into 140, and i am working on a reland here:  http://crrev.com/c/6898599 with feature flag around the change.

Helmut Januschka

unread,
Sep 2, 2025, 2:30:59 PM (5 days ago)  Sep 2
to blink-dev, Helmut Januschka, yoav...@chromium.org, Daniel Cheng, mike...@chromium.org, blink-dev, Chris Harrelson, Chromestatus, dom...@chromium.org, Srinivas Sista, Krishna Govind
It's relanded now with a feature flag! Thanks to everyone involved, and sorry for the troubles!

Daniel Bratell

unread,
Sep 3, 2025, 11:17:28 AM (4 days ago)  Sep 3
to Helmut Januschka, blink-dev, yoav...@chromium.org, Daniel Cheng, mike...@chromium.org, Chris Harrelson, Chromestatus, dom...@chromium.org, Srinivas Sista, Krishna Govind

Great!

Can you please add the flag to appropriate field in the feature's chromestatus entry so that people can find the flag if needed?

/Daniel

Helmut Januschka

unread,
Sep 3, 2025, 12:04:21 PM (4 days ago)  Sep 3
to blink-dev, Daniel Bratell, yoav...@chromium.org, Daniel Cheng, mike...@chromium.org, Chris Harrelson, Chromestatus, dom...@chromium.org, Srinivas Sista, Krishna Govind, Helmut Januschka
so it is a FinchFlag `ModulePreloadReferrer`  and it is not listed in about_flags.cc - hope i filled out the correct field in chromestatus
should it be listed in about_flags for webdevs to enable? 

Domenic Denicola

unread,
Sep 3, 2025, 9:15:51 PM (4 days ago)  Sep 3
to Helmut Januschka, blink-dev, Daniel Bratell, yoav...@chromium.org, Daniel Cheng, mike...@chromium.org, Chris Harrelson, Chromestatus, dom...@chromium.org, Srinivas Sista, Krishna Govind
You got it right! And no, there's no need for the heavier-weight about:flags for these sorts of small changes.
Reply all
Reply to author
Forward
0 new messages