Bug 215163

Summary: Does a cross-site requests between different eTLD+1 send the full URL as the Referer header?
Product: WebKit Reporter: Toru Kobayashi <koba0004>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: beidson, gsnedders, webkit-bug-importer, wilander, youennf
Priority: P2 Keywords: InRadar
Version: Safari 13   
Hardware: Mac   
OS: macOS 10.15   

Toru Kobayashi
Reported 2020-08-05 05:46:25 PDT
I've tested how Safari sends a referrer for cross-site requests. The following post mentions that Safari sends a referrer downgraded to its origin for all cross-site requests. > ITP now downgrades all cross-site request referrer headers to just the page’s origin. https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/ So, I've tested with two sites that are created on glitch.me. glitch.me is registered in the Public Suffix List, so I guess that the referrer for a request between the two sites is its origin, not full URL. https://publicsuffix.org/list/public_suffix_list.dat But the Referer header was the full URL, not the origin. You can test it like this. - Navigate https://referrer-a.glitch.me/referrer-a - Open Network Panel - Click Navigate Referrer B - Check the Referer header for a request to https://referrer-b.glitch.me/referrer-b Expected Referer Header: https://referrer-a.glitch.me Actual Referer Header: https://referrer-a.glitch.me/referrer-a. The cross-site that the blog post mentioned is eTLD+1, isn't it? https://web.dev/same-site-same-origin/
Attachments
Radar WebKit Bug Importer
Comment 1 2020-08-12 05:47:19 PDT
Sam Sneddon [:gsnedders]
Comment 2 2021-07-27 06:38:11 PDT
This doesn't reproduce in the above case on ToT, but purely because the default referrer-policy is now strict-origin-when-cross-origin. glitch.me has been in the version of the PSL we've shipped for a long time (Catalina at least shipped with it there, not checked further back), so I'm not sure why ITP isn't stripping the referrer in this case. John?
Note You need to log in before you can comment on or make changes to this bug.