[webkit-dev] Question: referrerpolicy in Safari

Dominic Farolino domfarolino at gmail.com
Wed Sep 23 12:50:18 PDT 2020


On Wed, Sep 23, 2020 at 12:16 PM Maud Nalpas <maudn at chromium.org> wrote:

> Hi,
>
> I'm reaching out for a question about Referrer-Policy, more specifically
> about *element**-level* referrer policies (referrerpolicy=...)
> <https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery-referrer-attribute>
> .
>
> I would expect referrerpolicy on HTML elements to override a page's
> policy for the corresponding request.
>
> But this is not what I'm observing on Safari iOS (12) and Desktop (13,
> with "Prevent cross site tracking" on). And this diverges from Chrome's and
> Firefox's behaviour, which seem to honor referrerpolicy on elements.
>
> It's very possible that I'm mistaken and/or that my test site is wrong --
> your input would help!
>

I haven't dug too deep here, but just going to post this in case it answers
your question and saves you some time. As documented here
<https://github.com/privacycg/proposals/issues/13#issuecomment-621361878>,
it appears that Safari is starting to not honor the `referrerpolicy`
attribute on HTML elements where it would override the referrer policy
redaction that their cross-site tracking work has performed, or at least in
cases where it would expose more information than what was intended by the
cross-site tracking protection. That may be an oversimplification, (I trust
someone from WebKit can clarify), but it may explain the behavior you are
seeing.

>
> Test
>
> Test site
> <https://site-one-dot-referrer-demo-280711.ey.r.appspot.com/stuff/detail?tag=red&p=p0>
>
> A policy can be selected in the blue button bar. To test referrerpolicy,
> the useful section is "Let's test element-based referrerpolicy" at the
> bottom of the page.
>
> Examples of unexpected behaviour (can be reproduced on the test site)
>
> 1. On https://site-one.example/path/foo with a document-level policy of
> strict-origin-when-cross-origin:
>
>    -
>
>    An <a> element with referrerpolicy=no-referrer-when-downgrade links to
>    https://site-two.example (href).
>    -
>
>    Upon clicking the link and navigating to site-two, site-two gets the
>    origin as a Referer in the request (Referer=https://site-one.example).
>    -
>
>    I would expect Referer=https://site-one.example/path/foo instead (and
>    this is the behaviour in Chrome and Firefox).
>
> 2. On https://site-one.example/path/foo with a document-level policy of
> no-referrer:
>
>    -
>
>    An <img> element with referrerpolicy=strict-origin-when-cross-origin
>    loads an image from *https://site-two.example
>    <https://site-two.example>* (src).
>    -
>
>    site-two gets the full URL in this image request (Referer=
>    https://site-one.example/path/foo).
>    -
>
>    I would expect Referer=https://site-one.example instead (and this is
>    the behaviour in Chrome and Firefox).
>
> 3. On https://site-one.example/path/foo with an document-level policy of
> no-referrer-when-downgrade:
>
> A *referrerpolicy* on a <script> element seems to be honored on Safari
> desktop but not on iOS.
>
> Can this be? Why / What would be the expected behaviour?
>
> (I see that *referrerpolicy* support has been implemented
> <https://bugs.webkit.org/show_bug.cgi?id=179053>).
>
> Thank you!
>
> - Maud
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20200923/bed6549d/attachment.htm>


More information about the webkit-dev mailing list