[Webkit-unassigned] [Bug 215163] New: Does a cross-site requests between different eTLD+1 send the full URL as the Referer header?
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Aug 5 05:46:25 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=215163
Bug ID: 215163
Summary: Does a cross-site requests between different eTLD+1
send the full URL as the Referer header?
Product: WebKit
Version: Safari 13
Hardware: Macintosh
OS: macOS 10.15
Status: NEW
Severity: Normal
Priority: P2
Component: Page Loading
Assignee: webkit-unassigned at lists.webkit.org
Reporter: koba0004 at gmail.com
CC: beidson at apple.com
I've tested how Safari sends a referrer for cross-site requests.
The following post mentions that Safari sends a referrer downgraded to its origin for all cross-site requests.
> ITP now downgrades all cross-site request referrer headers to just the page’s origin.
https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/
So, I've tested with two sites that are created on glitch.me. glitch.me is registered in the Public Suffix List, so I guess that the referrer for a request between the two sites is its origin, not full URL.
https://publicsuffix.org/list/public_suffix_list.dat
But the Referer header was the full URL, not the origin.
You can test it like this.
- Navigate https://referrer-a.glitch.me/referrer-a
- Open Network Panel
- Click Navigate Referrer B
- Check the Referer header for a request to https://referrer-b.glitch.me/referrer-b
Expected Referer Header: https://referrer-a.glitch.me
Actual Referer Header: https://referrer-a.glitch.me/referrer-a.
The cross-site that the blog post mentioned is eTLD+1, isn't it?
https://web.dev/same-site-same-origin/
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200805/234bd658/attachment.htm>
More information about the webkit-unassigned
mailing list