I'm reaching out for a question about Referrer-Policy, more specifically
about *element**-level* referrer policies (referrerpolicy=...)

I would expect referrerpolicy on HTML elements to override a page's policy
for the corresponding request.

But this is not what I'm observing on Safari iOS (12) and Desktop (13, with
"Prevent cross site tracking" on). And this diverges from Chrome's and
Firefox's behaviour, which seem to honor referrerpolicy on elements.

It's very possible that I'm mistaken and/or that my test site is wrong --
your input would help!


Test site

A policy can be selected in the blue button bar. To test referrerpolicy,
the useful section is "Let's test element-based referrerpolicy" at the
bottom of the page.

Examples of unexpected behaviour (can be reproduced on the test site)

1. On https://site-one.example/path/foo with a document-level policy of


   An <a> element with referrerpolicy=no-referrer-when-downgrade links to
   https://site-two.example (href).

   Upon clicking the link and navigating to site-two, site-two gets the
   origin as a Referer in the request (Referer=https://site-one.example).

   I would expect Referer=https://site-one.example/path/foo instead (and
   this is the behaviour in Chrome and Firefox).

2. On https://site-one.example/path/foo with a document-level policy of


   An <img> element with referrerpolicy=strict-origin-when-cross-origin
   loads an image from *https://site-two.example <https://site-two.example>*

   site-two gets the full URL in this image request (Referer=

   I would expect Referer=https://site-one.example instead (and this is the
   behaviour in Chrome and Firefox).

3. On https://site-one.example/path/foo with an document-level policy of

A *referrerpolicy* on a <script> element seems to be honored on Safari
desktop but not on iOS.

Can this be? Why / What would be the expected behaviour?

(I see that *referrerpolicy* support has been implemented

Thank you!

- Maud
webkit-dev mailing list

Reply via email to