On Wed, Sep 23, 2020 at 12:16 PM Maud Nalpas <maudn@chromium.org> wrote:

Hi,

I'm reaching out for a question about Referrer-Policy, more specifically about element-level referrer policies (referrerpolicy=...).
I would expect referrerpolicy on HTML elements to override a page's policy for the corresponding request.
But this is not what I'm observing on Safari iOS (12) and Desktop (13, with "Prevent cross site tracking" on). And this diverges from Chrome's and Firefox's behaviour, which seem to honor referrerpolicy on elements.
It's very possible that I'm mistaken and/or that my test site is wrong -- your input would help!

I haven't dug too deep here, but just going to post this in case it answers your question and saves you some time. As documented here, it appears that Safari is starting to not honor the `referrerpolicy` attribute on HTML elements where it would override the referrer policy redaction that their cross-site tracking work has performed, or at least in cases where it would expose more information than what was intended by the cross-site tracking protection. That may be an oversimplification, (I trust someone from WebKit can clarify), but it may explain the behavior you are seeing.

Test
Test site
A policy can be selected in the blue button bar. To test referrerpolicy, the useful section is "Let's test element-based referrerpolicy" at the bottom of the page.

Examples of unexpected behaviour (can be reproduced on the test site)
1. On https://site-one.example/path/foo with a document-level policy of strict-origin-when-cross-origin:
An <a> element with referrerpolicy=no-referrer-when-downgrade links to https://site-two.example (href).
Upon clicking the link and navigating to site-two, site-two gets the origin as a Referer in the request (Referer=https://site-one.example).
I would expect Referer=https://site-one.example/path/foo instead (and this is the behaviour in Chrome and Firefox).
2. On https://site-one.example/path/foo with a document-level policy of no-referrer:
An <img> element with referrerpolicy=strict-origin-when-cross-origin loads an image from https://site-two.example (src).
site-two gets the full URL in this image request (Referer=https://site-one.example/path/foo).
I would expect Referer=https://site-one.example instead (and this is the behaviour in Chrome and Firefox).
3. On https://site-one.example/path/foo with an document-level policy of no-referrer-when-downgrade:
A referrerpolicy on a <script> element seems to be honored on Safari desktop but not on iOS.

Can this be? Why / What would be the expected behaviour?
(I see that referrerpolicy support has been implemented).

Thank you!

- Maud
_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev