On Wed, Sep 23, 2020 at 1:50 pm, Dominic Farolino <domfarol...@gmail.com> wrote:
I haven't dug too deep here, but just going to post this in case it answers your question and saves you some time. As documented here, it appears that Safari is starting to not honor the `referrerpolicy` attribute on HTML elements where it would override the referrer policy redaction that their cross-site tracking work has performed, or at least in cases where it would expose more information than what was intended by the cross-site tracking protection. That may be an oversimplification, (I trust someone from WebKit can clarify), but it may explain the behavior you are seeing.
That probably explains case 1. There's some documentation of this at https://webkit.org/tracking-prevention/. The actual URLs matter here. With https://site-one.example/path/foo and https://site-two.example/, the top privately-controlled domains are different (site-one.example vs. site-two.example) so the referrer will be downgraded to its origin. But say you were instead testing https://site-one.example.com/path/foo and https://site-two.example.com/, then the top privately-controlled domain in both cases is example.com, and there's no forced downgrade.
That doesn't explain what's going on in case 2 or case 3, though. Smells like bugs?
Michael _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
