All subdomains as same-origin in referrer policy

Question

My myapp is located on myapp.department.institution.com, while the company-wide login apps are on login.department.institution.com and apps.institution.com. Now we have an issue with the reduced-referrer-granularity flag in google chrome.

The myapp first redirects to login, which then redirects to apps. Apps in turn is supposed to redirect to login again, but with a full referrer url https://apps.institution.com/?app=myapp, but instead only sends http://apps.institution.com/.

If I disable the flag, it works fine. From my very limited knowledge about referrer policies, it seems that my only option is to set the referrer policy in apps.institution.com to "unsafe-url". Is there any way to make referrer policies in a way that all subdomains of the institution.com domain are considered same-origin?

I did find a tutorial explaining that you can bypass the strict rules (exact match) with the JS code

 document.domain = 'institution.com';

but it did not specify where I'd have to set this. Probably in apps.institution.com, right? Because that is something I do not have access to and which is linked to a massive amount of apps, so any changes there might be troublesome. Are there any alternatives?

Answer 1

You can keep your top-level setting strict - assuming you have and care about links to external sites from your own.

I believe adding referrerpolicy="unsafe-url" to anchor tags that link to your own sub domains is not a security leak.

What are people worried about? As a visitor to your site I can use dev tools to make that change myself and the document.referrer will be visible.