[webkit-dev] Question: referrerpolicy in Safari

Maud Nalpas maudn at chromium.org
Wed Sep 23 11:15:38 PDT 2020 

Hi,

I'm reaching out for a question about Referrer-Policy, more specifically
about *element**-level* referrer policies (referrerpolicy=...)
<https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery-referrer-attribute>
.

I would expect referrerpolicy on HTML elements to override a page's policy
for the corresponding request.

But this is not what I'm observing on Safari iOS (12) and Desktop (13, with
"Prevent cross site tracking" on). And this diverges from Chrome's and
Firefox's behaviour, which seem to honor referrerpolicy on elements.

It's very possible that I'm mistaken and/or that my test site is wrong --
your input would help!

Test

Test site
<https://site-one-dot-referrer-demo-280711.ey.r.appspot.com/stuff/detail?tag=red&p=p0>

A policy can be selected in the blue button bar. To test referrerpolicy,
the useful section is "Let's test element-based referrerpolicy" at the
bottom of the page.

Examples of unexpected behaviour (can be reproduced on the test site)

1. On https://site-one.example/path/foo with a document-level policy of
strict-origin-when-cross-origin:

   -

   An <a> element with referrerpolicy=no-referrer-when-downgrade links to
   https://site-two.example (href).
   -

   Upon clicking the link and navigating to site-two, site-two gets the
   origin as a Referer in the request (Referer=https://site-one.example).
   -

   I would expect Referer=https://site-one.example/path/foo instead (and
   this is the behaviour in Chrome and Firefox).

2. On https://site-one.example/path/foo with a document-level policy of
no-referrer:

   -

   An <img> element with referrerpolicy=strict-origin-when-cross-origin
   loads an image from *https://site-two.example <https://site-two.example>*
   (src).
   -

   site-two gets the full URL in this image request (Referer=
   https://site-one.example/path/foo).
   -

   I would expect Referer=https://site-one.example instead (and this is the
   behaviour in Chrome and Firefox).

3. On https://site-one.example/path/foo with an document-level policy of
no-referrer-when-downgrade:

A *referrerpolicy* on a <script> element seems to be honored on Safari
desktop but not on iOS.

Can this be? Why / What would be the expected behaviour?

(I see that *referrerpolicy* support has been implemented
<https://bugs.webkit.org/show_bug.cgi?id=179053>).

Thank you!

- Maud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20200923/bcab9ce1/attachment.htm>

More information about the webkit-dev mailing list