Hi,
I'm reaching out for a question about Referrer-Policy, more specifically about element-level referrer policies (referrerpolicy=...).
I would expect referrerpolicy on HTML elements to override a page's policy for the corresponding request.
But this is not what I'm observing on Safari iOS (12) and Desktop (13, with "Prevent cross site tracking" on). And this diverges from Chrome's and Firefox's behaviour, which seem to honor referrerpolicy on elements.
It's very possible that I'm mistaken and/or that my test site is wrong -- your input would help!
Test
A policy can be selected in the blue button bar. To test referrerpolicy, the useful section is "Let's test element-based referrerpolicy" at the bottom of the page.
Examples of unexpected behaviour (can be reproduced on the test site)
1. On https://site-one.example/path/foo with a document-level policy of strict-origin-when-cross-origin:
An <a> element with referrerpolicy=no-referrer-when-downgrade links to https://site-two.example (href).
Upon clicking the link and navigating to site-two, site-two gets the origin as a Referer in the request (Referer=https://site-one.example).
I would expect Referer=https://site-one.example/path/foo instead (and this is the behaviour in Chrome and Firefox).
2. On https://site-one.example/path/foo with a document-level policy of no-referrer:
An <img> element with referrerpolicy=strict-origin-when-cross-origin loads an image from https://site-two.example (src).
site-two gets the full URL in this image request (Referer=https://site-one.example/path/foo).
I would expect Referer=https://site-one.example instead (and this is the behaviour in Chrome and Firefox).
3. On https://site-one.example/path/foo with an document-level policy of no-referrer-when-downgrade:
A referrerpolicy on a <script> element seems to be honored on Safari desktop but not on iOS.
Can this be? Why / What would be the expected behaviour?
(I see that referrerpolicy support has been implemented).
Thank you!
- Maud