[Webkit-unassigned] [Bug 272683] New: Referrer-Policy 'unsafe-url' and co. supported for same-site URLs

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Apr 15 08:49:38 PDT 2024


            Bug ID: 272683
           Summary: Referrer-Policy 'unsafe-url' and co. supported for
                    same-site URLs
           Product: WebKit
           Version: Safari 17
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jannis.rautenstrauch at cispa.de
                CC: beidson at apple.com

WebKit still supports 'unsafe-url' and other values for 'same-site' URLs. 
I thought 'unsafe-url' and co. should only be allowed for 'same-origin' URLs.

Visit https://sub.headers.websec.saarland/_hp/tests/referrer-access-rp.sub.html?resp_type=basic&browser_id=1&label=RP&first_id=200&last_id=200&scheme=https&t_resp_id=200&t_element_relation=iframe_iframe&t_resp_origin=https://headers.websec.saarland
The site sub.header.websec.saarland sets a RP of 'unsafe-url' and the full URL is reported to the cross-origin same-site site headers.websec.saarland.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240415/4400be96/attachment-0001.htm>

More information about the webkit-unassigned mailing list