[webkit-dev] Question: referrerpolicy in Safari
Michael Catanzaro
mcatanzaro at gnome.org
Wed Sep 23 13:50:00 PDT 2020
On Wed, Sep 23, 2020 at 1:50 pm, Dominic Farolino
<domfarolino at gmail.com> wrote:
> I haven't dug too deep here, but just going to post this in case it
> answers your question and saves you some time. As documented here, it
> appears that Safari is starting to not honor the `referrerpolicy`
> attribute on HTML elements where it would override the referrer
> policy redaction that their cross-site tracking work has performed,
> or at least in cases where it would expose more information than what
> was intended by the cross-site tracking protection. That may be an
> oversimplification, (I trust someone from WebKit can clarify), but it
> may explain the behavior you are seeing.
That probably explains case 1. There's some documentation of this at
https://webkit.org/tracking-prevention/. The actual URLs matter here.
With https://site-one.example/path/foo and https://site-two.example/,
the top privately-controlled domains are different (site-one.example
vs. site-two.example) so the referrer will be downgraded to its origin.
But say you were instead testing https://site-one.example.com/path/foo
and https://site-two.example.com/, then the top privately-controlled
domain in both cases is example.com, and there's no forced downgrade.
That doesn't explain what's going on in case 2 or case 3, though.
Smells like bugs?
Michael
More information about the webkit-dev
mailing list