[Webkit-unassigned] [Bug 256472] New: Incorrect Sec-Fetch-Site values on iframes

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon May 8 09:46:27 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=256472

            Bug ID: 256472
           Summary: Incorrect Sec-Fetch-Site values on iframes
           Product: WebKit
           Version: Safari 16
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Major
          Priority: P2
         Component: Frames
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: niemczura at meta.com

Sec-Fetch-Site values are supposed to provide information about the relationship between a request initiator's origin and the origin of the requested resource (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site and https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header)

However, when the following iframe is included on the page, the value of the Sec-Fetch-Site header will be "none":

<iframe method="get" referrerpolicy="no-referrer" src="https://www.example.com"></iframe>

It appears to be due to referrer policy attribute. Setting it to no-referrer will cause Safari to send Sec-Fetch-Site header with "none" value regardless of the origin the iframe i.e. same-origin, same-site and cross-site frames would all have this header set to "none".

---

Reproduction steps:
1. Open any website, e.g. example.com
2. Open developer tools and paste the following code in the JS console:
```
const iframe = document.createElement('iframe');
iframe.src = 'https://www.example.com';
iframe.referrerPolicy = 'no-referrer';
iframe.method = 'get';
document.body.appendChild(iframe);
```
3. Inspect the request headers send on the iframe request.

Expected Outcome:
The Sec-Fetch-Site header is set to same-origin, same-site and cross-site, etc.

Actual Outcome:
The Sec-Fetch-Site header is set to none.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230508/e7bf0b9a/attachment.htm>

More information about the webkit-unassigned mailing list