Couldn't the attacker evade that by sending Referrer-Policy: no-referrer with their redirect?

Good shout. Can always block based on origin header though (when under the assumption that it's a legit browser) since it's a forbidden header name.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Or...

Neither the Origin nor the Referer headers have anything to do with a 301 redirect.

I just tested on firefox and it doesn't send the "Origin" header when using referrerpolicy="no-referrer". It's also not present when navigating using the url bar directly.

Sounds like a security flaw that browsers honor this.

Referer is not a security mechanism.

I didn't say it was. Browsers display an alert when full-screen mode is activated. Full-screen mode isn't a security feature, but the browser does something the website developer can't control so that users can conclude that something fishy isn't going on. I think the ability for one website to hide that they've redirected to another is a vulnerability.

I'm inclined to agree that websites should know when they're the target of a redirect but that has nothing to do with Referer! That header does not work the way so many seem to think it does. As I've laid out elsewhere in this thread, HTTP redirects do not show up in Referer under any circumstances. Right now, one site doesn't have to do anything to "hide" that it's part of a redirect chain, since there's no tracking of that chain to begin with.

No, and the earlier you do the better.

Later it might have