[webkit-dev] Question: referrerpolicy in Safari

Michael Catanzaro mcatanzaro at gnome.org
Wed Sep 23 13:50:00 PDT 2020

On Wed, Sep 23, 2020 at 1:50 pm, Dominic Farolino 
<domfarolino at gmail.com> wrote:
> I haven't dug too deep here, but just going to post this in case it 
> answers your question and saves you some time. As documented here, it 
> appears that Safari is starting to not honor the `referrerpolicy` 
> attribute on HTML elements where it would override the referrer 
> policy redaction that their cross-site tracking work has performed, 
> or at least in cases where it would expose more information than what 
> was intended by the cross-site tracking protection. That may be an 
> oversimplification, (I trust someone from WebKit can clarify), but it 
> may explain the behavior you are seeing.

That probably explains case 1. There's some documentation of this at 
https://webkit.org/tracking-prevention/. The actual URLs matter here. 
With https://site-one.example/path/foo and https://site-two.example/, 
the top privately-controlled domains are different (site-one.example 
vs. site-two.example) so the referrer will be downgraded to its origin. 
But say you were instead testing https://site-one.example.com/path/foo 
and https://site-two.example.com/, then the top privately-controlled 
domain in both cases is example.com, and there's no forced downgrade.

That doesn't explain what's going on in case 2 or case 3, though. 
Smells like bugs?


More information about the webkit-dev mailing list