Bug 215356

Summary: same-site navigation within iframes is still referrerpolicy=origin when "Prevent cross-site tracking" enabled
Product: WebKit Reporter: Daniel Roesler <diafygi>
Component: FramesAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: beidson, bfulgham, cblaze22, charliew, diafygi, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Safari 13   
Hardware: iPhone / iPad   
OS: iOS 13   

Description Daniel Roesler 2020-08-10 22:20:32 PDT 
According to a recent Intelligent Tracking Prevention (ITP) blog post[1][2], "ITP now downgrades all cross-site request referrer headers to just the page’s origin. Previously, this was only done for cross-site requests to classified domains." and "All cross-site document.referrers are downgraded to their origin. This matches the already downgraded cross-site referrer request headers."

[1]: https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/
[2]: https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/

However, it seems that within an iframe, when the parent source is cross-site, that same-site navigation is _also_ restricted to origin-only referrals. Is this intentional? It is unclear in the documentation that same-site navigation within an embedded iframe will have origin-only referrals.

Reproduction steps:

1. I have created a demo[3] with the parent daylightpirates.org, and embedded two iframes, one with a same-site origin (daylightpirates.org), and one with cross-site origin (gethttpsforfree.com).
2. For each I put a link that leads to a second page of the iframed origin (e.g. same-site) which then reports the request's Referer header.
3. When the link is clicked in the gethttpsforfree.com iframe, the referrer is limited to origin-only.

[3]: Proof of concept demo: https://daylightpirates.org/iframe-referrerpolicy-test

What should happen:

1. Same-site navigation, even withing an iframe, no matter if the parent is cross-site, should be treated as same-site navigation and full referrer headers should be available.

Why this breaks things:

1. There are many third party widgets, embedded surveys, and other tools that let the users submit a form through the widget.
2. Since third-party cookies are often disabled, the embedded iframe used same-site referrer headers to provide CSRF protection so that iframed forms could still not be submitted cross-site and cross-page (preventing XSS exploits).
3. Restricting to origin-only eliminates the XSS protection and strong CSRF protection from iframe form submission in widgets, surveys, etc.

So, if this was intentional, it would be enormously helpful to understand what specific third-party tracking behavior this prevents, and help with possible alternatives to CSRF within third-party iframed tools.
Comment 1 Radar WebKit Bug Importer 2020-08-11 10:57:13 PDT 
<rdar://problem/66849267>
Comment 2 cblaze22 2020-08-18 12:13:03 PDT 
I am also having this same issue. All of a sudden my iframe is not picking up the cookies within an iframe of the same domain that was set outside of it.
Comment 3 Charlie Wolfe 2022-08-23 10:54:34 PDT 
I can't reproduce this on the latest WebKit builds.
Comment 4 Daniel Roesler 2022-08-26 11:37:04 PDT 
(In reply to Charlie Wolfe from comment #3)
> I can't reproduce this on the latest WebKit builds.

Can you please try again? I fixed the proof of concept demo:  https://daylightpirates.org/iframe-referrerpolicy-test
Comment 5 Charlie Wolfe 2022-08-29 16:04:14 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/3788
Comment 6 cblaze22 2022-08-29 19:22:34 PDT 
Is this confirmed a bug and being fixed?
Comment 7 Charlie Wolfe 2022-08-30 16:55:14 PDT 
(In reply to cblaze22 from comment #6)
> Is this confirmed a bug and being fixed?

I believe this may be a bug, but the bug being reported is only related to the Referer header being stripped in cases when it shouldn't be. The fix I am proposing won't resolve any issues you are having regarding cookies (which you initially mentioned).

If you think you are experiencing another issue. Please file a separate bug.