Re: [webkit-dev] Question: referrerpolicy in Safari

[Michael Catanzaro]

On Wed, Sep 23, 2020 at 1:50 pm, Dominic Farolino 
 wrote:
I haven't dug too deep here, but just going to post this in case it 
answers your question and saves you some time. As documented here, it 
appears that Safari is starting to not honor the `referrerpolicy` 
attribute on HTML elements where it would override the referrer 
policy redaction that their cross-site tracking work has performed, 
or at least in cases where it would expose more information than what 
was intended by the cross-site tracking protection. That may be an 
oversimplification, (I trust someone from WebKit can clarify), but it 
may explain the behavior you are seeing.


That probably explains case 1. There's some documentation of this at 
https://webkit.org/tracking-prevention/. The actual URLs matter here. 
With https://site-one.example/path/foo and https://site-two.example/, 
the top privately-controlled domains are different (site-one.example 
vs. site-two.example) so the referrer will be downgraded to its origin. 
But say you were instead testing https://site-one.example.com/path/foo 
and https://site-two.example.com/, then the top privately-controlled 
domain in both cases is example.com, and there's no forced downgrade.


That doesn't explain what's going on in case 2 or case 3, though. 
Smells like bugs?


Michael


___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] Question: referrerpolicy in Safari

[Dominic Farolino]

On Wed, Sep 23, 2020 at 12:16 PM Maud Nalpas  wrote:

> Hi,
>
> I'm reaching out for a question about Referrer-Policy, more specifically
> about *element**-level* referrer policies (referrerpolicy=...)
> 
> .
>
> I would expect referrerpolicy on HTML elements to override a page's
> policy for the corresponding request.
>
> But this is not what I'm observing on Safari iOS (12) and Desktop (13,
> with "Prevent cross site tracking" on). And this diverges from Chrome's and
> Firefox's behaviour, which seem to honor referrerpolicy on elements.
>
> It's very possible that I'm mistaken and/or that my test site is wrong --
> your input would help!
>

I haven't dug too deep here, but just going to post this in case it answers
your question and saves you some time. As documented here
,
it appears that Safari is starting to not honor the `referrerpolicy`
attribute on HTML elements where it would override the referrer policy
redaction that their cross-site tracking work has performed, or at least in
cases where it would expose more information than what was intended by the
cross-site tracking protection. That may be an oversimplification, (I trust
someone from WebKit can clarify), but it may explain the behavior you are
seeing.

>
> Test
>
> Test site
> 
>
> A policy can be selected in the blue button bar. To test referrerpolicy,
> the useful section is "Let's test element-based referrerpolicy" at the
> bottom of the page.
>
> Examples of unexpected behaviour (can be reproduced on the test site)
>
> 1. On https://site-one.example/path/foo with a document-level policy of
> strict-origin-when-cross-origin:
>
>-
>
>An  element with referrerpolicy=no-referrer-when-downgrade links to
>https://site-two.example (href).
>-
>
>Upon clicking the link and navigating to site-two, site-two gets the
>origin as a Referer in the request (Referer=https://site-one.example).
>-
>
>I would expect Referer=https://site-one.example/path/foo instead (and
>this is the behaviour in Chrome and Firefox).
>
> 2. On https://site-one.example/path/foo with a document-level policy of
> no-referrer:
>
>-
>
>An  element with referrerpolicy=strict-origin-when-cross-origin
>loads an image from *https://site-two.example
>* (src).
>-
>
>site-two gets the full URL in this image request (Referer=
>https://site-one.example/path/foo).
>-
>
>I would expect Referer=https://site-one.example instead (and this is
>the behaviour in Chrome and Firefox).
>
> 3. On https://site-one.example/path/foo with an document-level policy of
> no-referrer-when-downgrade:
>
> A *referrerpolicy* on a