Bug 215163

Summary: Does a cross-site requests between different eTLD+1 send the full URL as the Referer header?
Product: WebKit Reporter: Toru Kobayashi <koba0004>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: beidson, gsnedders, webkit-bug-importer, wilander, youennf
Priority: P2 Keywords: InRadar
Version: Safari 13   
Hardware: Mac   
OS: macOS 10.15   

Description Toru Kobayashi 2020-08-05 05:46:25 PDT
I've tested how Safari sends a referrer for cross-site requests.
The following post mentions that Safari sends a referrer downgraded to its origin for all cross-site requests.

> ITP now downgrades all cross-site request referrer headers to just the page’s origin.
https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/

So, I've tested with two sites that are created on glitch.me. glitch.me is registered in the Public Suffix List, so I guess that the referrer for a request between the two sites is its origin, not full URL.
https://publicsuffix.org/list/public_suffix_list.dat

But the Referer header was the full URL, not the origin.

You can test it like this.
- Navigate https://referrer-a.glitch.me/referrer-a
- Open Network Panel
- Click Navigate Referrer B
- Check the Referer header for a request to https://referrer-b.glitch.me/referrer-b

Expected Referer Header: https://referrer-a.glitch.me
Actual Referer Header: https://referrer-a.glitch.me/referrer-a.

The cross-site that the blog post mentioned is eTLD+1, isn't it?
https://web.dev/same-site-same-origin/
Comment 1 Radar WebKit Bug Importer 2020-08-12 05:47:19 PDT
<rdar://problem/66903413>
Comment 2 Sam Sneddon [:gsnedders] 2021-07-27 06:38:11 PDT
This doesn't reproduce in the above case on ToT, but purely because the default referrer-policy is now strict-origin-when-cross-origin.

glitch.me has been in the version of the PSL we've shipped for a long time (Catalina at least shipped with it there, not checked further back), so I'm not sure why ITP isn't stripping the referrer in this case. John?