[Webkit-unassigned] [Bug 256472] New: Incorrect Sec-Fetch-Site values on iframes
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon May 8 09:46:27 PDT 2023
https://bugs.webkit.org/show_bug.cgi?id=256472
Bug ID: 256472
Summary: Incorrect Sec-Fetch-Site values on iframes
Product: WebKit
Version: Safari 16
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Major
Priority: P2
Component: Frames
Assignee: webkit-unassigned at lists.webkit.org
Reporter: niemczura at meta.com
Sec-Fetch-Site values are supposed to provide information about the relationship between a request initiator's origin and the origin of the requested resource (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site and https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header)
However, when the following iframe is included on the page, the value of the Sec-Fetch-Site header will be "none":
<iframe method="get" referrerpolicy="no-referrer" src="https://www.example.com"></iframe>
It appears to be due to referrer policy attribute. Setting it to no-referrer will cause Safari to send Sec-Fetch-Site header with "none" value regardless of the origin the iframe i.e. same-origin, same-site and cross-site frames would all have this header set to "none".
---
Reproduction steps:
1. Open any website, e.g. example.com
2. Open developer tools and paste the following code in the JS console:
```
const iframe = document.createElement('iframe');
iframe.src = 'https://www.example.com';
iframe.referrerPolicy = 'no-referrer';
iframe.method = 'get';
document.body.appendChild(iframe);
```
3. Inspect the request headers send on the iframe request.
Expected Outcome:
The Sec-Fetch-Site header is set to same-origin, same-site and cross-site, etc.
Actual Outcome:
The Sec-Fetch-Site header is set to none.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230508/e7bf0b9a/attachment.htm>
More information about the webkit-unassigned
mailing list