On Wed, Sep 23, 2020 at 12:16 PM Maud Nalpas <ma...@chromium.org> wrote:
> Hi, > > I'm reaching out for a question about Referrer-Policy, more specifically > about *element**-level* referrer policies (referrerpolicy=...) > <https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery-referrer-attribute> > . > > I would expect referrerpolicy on HTML elements to override a page's > policy for the corresponding request. > > But this is not what I'm observing on Safari iOS (12) and Desktop (13, > with "Prevent cross site tracking" on). And this diverges from Chrome's and > Firefox's behaviour, which seem to honor referrerpolicy on elements. > > It's very possible that I'm mistaken and/or that my test site is wrong -- > your input would help! > I haven't dug too deep here, but just going to post this in case it answers your question and saves you some time. As documented here <https://github.com/privacycg/proposals/issues/13#issuecomment-621361878>, it appears that Safari is starting to not honor the `referrerpolicy` attribute on HTML elements where it would override the referrer policy redaction that their cross-site tracking work has performed, or at least in cases where it would expose more information than what was intended by the cross-site tracking protection. That may be an oversimplification, (I trust someone from WebKit can clarify), but it may explain the behavior you are seeing. > > Test > > Test site > <https://site-one-dot-referrer-demo-280711.ey.r.appspot.com/stuff/detail?tag=red&p=p0> > > A policy can be selected in the blue button bar. To test referrerpolicy, > the useful section is "Let's test element-based referrerpolicy" at the > bottom of the page. > > Examples of unexpected behaviour (can be reproduced on the test site) > > 1. On https://site-one.example/path/foo with a document-level policy of > strict-origin-when-cross-origin: > > - > > An <a> element with referrerpolicy=no-referrer-when-downgrade links to > https://site-two.example (href). > - > > Upon clicking the link and navigating to site-two, site-two gets the > origin as a Referer in the request (Referer=https://site-one.example). > - > > I would expect Referer=https://site-one.example/path/foo instead (and > this is the behaviour in Chrome and Firefox). > > 2. On https://site-one.example/path/foo with a document-level policy of > no-referrer: > > - > > An <img> element with referrerpolicy=strict-origin-when-cross-origin > loads an image from *https://site-two.example > <https://site-two.example>* (src). > - > > site-two gets the full URL in this image request (Referer= > https://site-one.example/path/foo). > - > > I would expect Referer=https://site-one.example instead (and this is > the behaviour in Chrome and Firefox). > > 3. On https://site-one.example/path/foo with an document-level policy of > no-referrer-when-downgrade: > > A *referrerpolicy* on a <script> element seems to be honored on Safari > desktop but not on iOS. > > Can this be? Why / What would be the expected behaviour? > > (I see that *referrerpolicy* support has been implemented > <https://bugs.webkit.org/show_bug.cgi?id=179053>). > > Thank you! > > - Maud > _______________________________________________ > webkit-dev mailing list > webkit-dev@lists.webkit.org > https://lists.webkit.org/mailman/listinfo/webkit-dev >
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev