Bug 215163

Summary:	Does a cross-site requests between different eTLD+1 send the full URL as the Referer header?
Product:	WebKit	Reporter:	Toru Kobayashi <koba0004>
Component:	Page Loading	Assignee:	Nobody <webkit-unassigned>
Status:	NEW ---
Severity:	Normal	CC:	beidson, gsnedders, webkit-bug-importer, wilander, youennf
Priority:	P2	Keywords:	InRadar
Version:	Safari 13
Hardware:	Mac
OS:	macOS 10.15

Description Toru Kobayashi 2020-08-05 05:46:25 PDT

I've tested how Safari sends a referrer for cross-site requests.
The following post mentions that Safari sends a referrer downgraded to its origin for all cross-site requests.

> ITP now downgrades all cross-site request referrer headers to just the page’s origin.
https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/

So, I've tested with two sites that are created on glitch.me. glitch.me is registered in the Public Suffix List, so I guess that the referrer for a request between the two sites is its origin, not full URL.
https://publicsuffix.org/list/public_suffix_list.dat

But the Referer header was the full URL, not the origin.

You can test it like this.
- Navigate https://referrer-a.glitch.me/referrer-a
- Open Network Panel
- Click Navigate Referrer B
- Check the Referer header for a request to https://referrer-b.glitch.me/referrer-b

Expected Referer Header: https://referrer-a.glitch.me
Actual Referer Header: https://referrer-a.glitch.me/referrer-a.

The cross-site that the blog post mentioned is eTLD+1, isn't it?
https://web.dev/same-site-same-origin/

Comment 1 Radar WebKit Bug Importer 2020-08-12 05:47:19 PDT

<rdar://problem/66903413>

Comment 2 Sam Sneddon [:gsnedders] 2021-07-27 06:38:11 PDT

This doesn't reproduce in the above case on ToT, but purely because the default referrer-policy is now strict-origin-when-cross-origin.

glitch.me has been in the version of the PSL we've shipped for a long time (Catalina at least shipped with it there, not checked further back), so I'm not sure why ITP isn't stripping the referrer in this case. John?