Bug 155754

Does this happen to be a cross-origin request?

(In reply to comment #1)
> Does this happen to be a cross-origin request?

Yes, it is a cross-origin request.

<rdar://problem/25296445>

We're seeing this same bug with soundslice.com, which offers an embedded iframe sheet-music viewer that optionally does referrer checking. Referrer checking is broken in iOS 9.3, which means our iframes are broken.

This bug also affects Vimeo Pro video embeds, which apparently do the same whitelist referrer checking.

Here are people complaining about it on Vimeo's forums: https://vimeo.com/forums/help/topic:281389

I believe this was caused by http://trac.webkit.org/r191180

(In reply to comment #6)
> I believe this was caused by http://trac.webkit.org/r191180

I was thinking the same thing, but the reporter says they see this in iOS 9.3

Did the preload scanner ship in 9.3?

(In reply to comment #7)
> (In reply to comment #6)
> > I believe this was caused by http://trac.webkit.org/r191180
> 
> I was thinking the same thing, but the reporter says they see this in iOS 9.3
> 
> Did the preload scanner ship in 9.3?

The preload scanner shipped in 9.3 but iframe preloading did not ship in 9.3: this is a fairly recent addition.

(In reply to comment #8)
> (In reply to comment #7)
> > (In reply to comment #6)
> > > I believe this was caused by http://trac.webkit.org/r191180
> > 
> > I was thinking the same thing, but the reporter says they see this in iOS 9.3
> > 
> > Did the preload scanner ship in 9.3?
> 
> The preload scanner shipped in 9.3 but iframe preloading did not ship in
> 9.3: this is a fairly recent addition.

I was thinking of a different thing that we've seen recent issues with (speculative validation)

Okay, good.

(In reply to comment #6)
> I believe this was caused by http://trac.webkit.org/r191180

I have just double-checked: http://trac.webkit.org/r191180 / <rdar://problem/23094475> did not ship yet.

This might be helpful. If there are no external resources loaded in the <head> or, more generally, before the iframe, the correct headers are sent. Example: https://sproutvideo-examples.s3.amazonaws.com/safari_headers_a.html

It also sends the correct headers if the external resource is included AFTER the iframe: https://sproutvideo-examples.s3.amazonaws.com/safari_headers_c.html

(In reply to comment #10)
> (In reply to comment #6)
> > I believe this was caused by http://trac.webkit.org/r191180
> 
> I have just double-checked: http://trac.webkit.org/r191180 /
> <rdar://problem/23094475> did not ship yet.

Never mind, Andy proved me wrong. r191180 did indeed ship in 9.3 and is likely to cause of this regression.

This bug also happen on OS X 10.11.4(Safari 9.1/11601.5.17.1 and Technology Preview 9.1.1).
In addition, this also happen with same-origin request.

Sample page:
https://www.ei.tohoku.ac.jp/demo/sample.html

Steps:
1) Access above page.
2) Reload the page.

A sample page has style tag and script tag.
If there is no style tag(*1) or no script tag(*2) in page, safari sends referer header correctly.

Additional samples:
*1 https://www.ei.tohoku.ac.jp/demo/sample3.html
*2 https://www.ei.tohoku.ac.jp/demo/sample2.html

In these sample, I used php page for iframe src.
If I used static page for iframe src, the behavior changed.
When pages are cached in safari, safari sends referer header.
However, if I clear page caches, safari became not to send.

Created attachment 275313 [details]
Roll out

Created attachment 275315 [details]
Patch

The commit-queue encountered the following flaky tests while processing attachment 275313 [details]:

transitions/default-timing-function.html bug 138901 (author: simon.fraser@apple.com)
The commit-queue is continuing to process your patch.

Comment on attachment 275315 [details]
Patch

Clearing flags on attachment: 275315

Committed r198917: <http://trac.webkit.org/changeset/198917>

All reviewed patches have been landed.  Closing bug.

Thanks for looking into this! I see that this has been marked as "RESOLVED FIXED". Has this been tested against the test cases that Ohkawa Yuichi and I provided to make sure that the iframe preloading was the source of the problem?

(In reply to comment #19)
> Thanks for looking into this! I see that this has been marked as "RESOLVED
> FIXED". Has this been tested against the test cases that Ohkawa Yuichi and I
> provided to make sure that the iframe preloading was the source of the
> problem?

Yes, I have confirmed that both test cases now work on iOS with latest WebKit.

Excellent! Thanks for clarifying.

Hi,

We're still seeing the same issue with iOS 9.3.1 if the page is refreshed.  First page load is ok but subsequent refreshes drop the referrer once again.  Doesn't seem that this one is fixed yet.

Thanks

(In reply to comment #22)
> Hi,
> 
> We're still seeing the same issue with iOS 9.3.1 if the page is refreshed. 
> First page load is ok but subsequent refreshes drop the referrer once again.
> Doesn't seem that this one is fixed yet.
> 
> Thanks

It is fixed, just not in iOS 9.3.1 yet.

Ah - please accept my apologies - not familiar with the way these things work with Apple updates etc.  Thanks for confirming, I will let our users know.

Kind regards

(In reply to comment #23)
> (In reply to comment #22)
> > Hi,
> > 
> > We're still seeing the same issue with iOS 9.3.1 if the page is refreshed. 
> > First page load is ok but subsequent refreshes drop the referrer once again.
> > Doesn't seem that this one is fixed yet.
> > 
> > Thanks
> 
> It is fixed, just not in iOS 9.3.1 yet.

This problem is still affecting our website after iOS 9.3.1 is installed on device. Please can you advise when you think this bug fix will be sent out in an update by Apple. If the fix is in 9.3.1 then the problem still exists and is not resolved. Thanks

(In reply to comment #25)
> (In reply to comment #23)
> > (In reply to comment #22)
> > > Hi,
> > > 
> > > We're still seeing the same issue with iOS 9.3.1 if the page is refreshed. 
> > > First page load is ok but subsequent refreshes drop the referrer once again.
> > > Doesn't seem that this one is fixed yet.
> > > 
> > > Thanks
> > 
> > It is fixed, just not in iOS 9.3.1 yet.
> 
> This problem is still affecting our website after iOS 9.3.1 is installed on
> device. Please can you advise when you think this bug fix will be sent out
> in an update by Apple. If the fix is in 9.3.1 then the problem still exists
> and is not resolved. Thanks

The bug *is* fixed in WebKit trunk. Yes, the bug still exists in iOS 9.3.1.
Apple does not comment on the timing or content of future releases.

(In reply to comment #26)
> (In reply to comment #25)
> > (In reply to comment #23)
> > > (In reply to comment #22)
> > > > Hi,
> > > > 
> > > > We're still seeing the same issue with iOS 9.3.1 if the page is refreshed. 
> > > > First page load is ok but subsequent refreshes drop the referrer once again.
> > > > Doesn't seem that this one is fixed yet.
> > > > 
> > > > Thanks
> > > 
> > > It is fixed, just not in iOS 9.3.1 yet.
> > 
> > This problem is still affecting our website after iOS 9.3.1 is installed on
> > device. Please can you advise when you think this bug fix will be sent out
> > in an update by Apple. If the fix is in 9.3.1 then the problem still exists
> > and is not resolved. Thanks
> 
> The bug *is* fixed in WebKit trunk. Yes, the bug still exists in iOS 9.3.1.
> Apple does not comment on the timing or content of future releases.


Thank you - sorry for asking basic questions - I'm not familiar with this. You can understand why I ask, as our site is subscription based and don't want to remove the domain level privacy on our videos. We are trying to understand the time implications so we can manage our customer expectations.

If you could indulge me whilst I ask a couple more basic questions:

How does the process work once you have resolved the bug fix?
Do you submit your bug fix to Apple? 
DO they normally accept it and use it or are we likely to have this problem in the long term, until they decide the problem is big enough to issue a fix?

Thank you in advance for your time - it's most appreciated

(In reply to comment #27)
> (In reply to comment #26)
> > (In reply to comment #25)
> > > (In reply to comment #23)
> > > > (In reply to comment #22)
> > > > > Hi,
> > > > > 
> > > > > We're still seeing the same issue with iOS 9.3.1 if the page is refreshed. 
> > > > > First page load is ok but subsequent refreshes drop the referrer once again.
> > > > > Doesn't seem that this one is fixed yet.
> > > > > 
> > > > > Thanks
> > > > 
> > > > It is fixed, just not in iOS 9.3.1 yet.
> > > 
> > > This problem is still affecting our website after iOS 9.3.1 is installed on
> > > device. Please can you advise when you think this bug fix will be sent out
> > > in an update by Apple. If the fix is in 9.3.1 then the problem still exists
> > > and is not resolved. Thanks
> > 
> > The bug *is* fixed in WebKit trunk. Yes, the bug still exists in iOS 9.3.1.
> > Apple does not comment on the timing or content of future releases.
> 
> 
> Thank you - sorry for asking basic questions - I'm not familiar with this.
> You can understand why I ask, as our site is subscription based and don't
> want to remove the domain level privacy on our videos. We are trying to
> understand the time implications so we can manage our customer expectations.
> 
> If you could indulge me whilst I ask a couple more basic questions:
> 
> How does the process work once you have resolved the bug fix?
> Do you submit your bug fix to Apple? 
> DO they normally accept it and use it or are we likely to have this problem
> in the long term, until they decide the problem is big enough to issue a fix?
> 
> Thank you in advance for your time - it's most appreciated

(In reply to comment #27)
> (In reply to comment #26)
> > (In reply to comment #25)
> > > (In reply to comment #23)
> > > > (In reply to comment #22)
> > > > > Hi,
> > > > > 
> > > > > We're still seeing the same issue with iOS 9.3.1 if the page is refreshed. 
> > > > > First page load is ok but subsequent refreshes drop the referrer once again.
> > > > > Doesn't seem that this one is fixed yet.
> > > > > 
> > > > > Thanks
> > > > 
> > > > It is fixed, just not in iOS 9.3.1 yet.
> > > 
> > > This problem is still affecting our website after iOS 9.3.1 is installed on
> > > device. Please can you advise when you think this bug fix will be sent out
> > > in an update by Apple. If the fix is in 9.3.1 then the problem still exists
> > > and is not resolved. Thanks
> > 
> > The bug *is* fixed in WebKit trunk. Yes, the bug still exists in iOS 9.3.1.
> > Apple does not comment on the timing or content of future releases.
> 
> 
> Thank you - sorry for asking basic questions - I'm not familiar with this.
> You can understand why I ask, as our site is subscription based and don't
> want to remove the domain level privacy on our videos. We are trying to
> understand the time implications so we can manage our customer expectations.
> 
> If you could indulge me whilst I ask a couple more basic questions:
> 
> How does the process work once you have resolved the bug fix?
> Do you submit your bug fix to Apple? 
> DO they normally accept it and use it or are we likely to have this problem
> in the long term, until they decide the problem is big enough to issue a fix?
> 
> Thank you in advance for your time - it's most appreciated

Have you tried iOS 9.3.2 beta that was seeded to developers last week?

(In reply to comment #28)
> (In reply to comment #27)
> > (In reply to comment #26)
> > > (In reply to comment #25)
> > > > (In reply to comment #23)
> > > > > (In reply to comment #22)
> > > > > > Hi,
> > > > > > 
> > > > > > We're still seeing the same issue with iOS 9.3.1 if the page is refreshed. 
> > > > > > First page load is ok but subsequent refreshes drop the referrer once again.
> > > > > > Doesn't seem that this one is fixed yet.
> > > > > > 
> > > > > > Thanks
> > > > > 
> > > > > It is fixed, just not in iOS 9.3.1 yet.
> > > > 
> > > > This problem is still affecting our website after iOS 9.3.1 is installed on
> > > > device. Please can you advise when you think this bug fix will be sent out
> > > > in an update by Apple. If the fix is in 9.3.1 then the problem still exists
> > > > and is not resolved. Thanks
> > > 
> > > The bug *is* fixed in WebKit trunk. Yes, the bug still exists in iOS 9.3.1.
> > > Apple does not comment on the timing or content of future releases.
> > 
> > 
> > Thank you - sorry for asking basic questions - I'm not familiar with this.
> > You can understand why I ask, as our site is subscription based and don't
> > want to remove the domain level privacy on our videos. We are trying to
> > understand the time implications so we can manage our customer expectations.
> > 
> > If you could indulge me whilst I ask a couple more basic questions:
> > 
> > How does the process work once you have resolved the bug fix?
> > Do you submit your bug fix to Apple? 
> > DO they normally accept it and use it or are we likely to have this problem
> > in the long term, until they decide the problem is big enough to issue a fix?
> > 
> > Thank you in advance for your time - it's most appreciated
> 
> (In reply to comment #27)
> > (In reply to comment #26)
> > > (In reply to comment #25)
> > > > (In reply to comment #23)
> > > > > (In reply to comment #22)
> > > > > > Hi,
> > > > > > 
> > > > > > We're still seeing the same issue with iOS 9.3.1 if the page is refreshed. 
> > > > > > First page load is ok but subsequent refreshes drop the referrer once again.
> > > > > > Doesn't seem that this one is fixed yet.
> > > > > > 
> > > > > > Thanks
> > > > > 
> > > > > It is fixed, just not in iOS 9.3.1 yet.
> > > > 
> > > > This problem is still affecting our website after iOS 9.3.1 is installed on
> > > > device. Please can you advise when you think this bug fix will be sent out
> > > > in an update by Apple. If the fix is in 9.3.1 then the problem still exists
> > > > and is not resolved. Thanks
> > > 
> > > The bug *is* fixed in WebKit trunk. Yes, the bug still exists in iOS 9.3.1.
> > > Apple does not comment on the timing or content of future releases.
> > 
> > 
> > Thank you - sorry for asking basic questions - I'm not familiar with this.
> > You can understand why I ask, as our site is subscription based and don't
> > want to remove the domain level privacy on our videos. We are trying to
> > understand the time implications so we can manage our customer expectations.
> > 
> > If you could indulge me whilst I ask a couple more basic questions:
> > 
> > How does the process work once you have resolved the bug fix?
> > Do you submit your bug fix to Apple? 
> > DO they normally accept it and use it or are we likely to have this problem
> > in the long term, until they decide the problem is big enough to issue a fix?
> > 
> > Thank you in advance for your time - it's most appreciated
> 
> Have you tried iOS 9.3.2 beta that was seeded to developers last week?

Ok, I have verified that I cannot reproduce the bug anymore on the public iOS 9.3.2 beta that was seeded to developers last week. I confirmed using both test cases (the one from Adam and the one from Ohkawa) on this bug report. Hopefully this helps. Feel free to confirm it yourself as well.

Thank you !

I know there is no comment on timing or content of future releases, but where can I subscribe/be informed when the release for OSX happens?

There will be no changelog mentioning this bug number, I assume since i did not see references to bug numbers in any other changelog.

Will this page be updated when it happens?

Sorry for not being familiar with the process. Feel free to just point me to a FAQ if there is one I failed to find.

(In reply to comment #31)
> I know there is no comment on timing or content of future releases, but
> where can I subscribe/be informed when the release for OSX happens?

No such notification exists for OS X Safari releases.

If you're interested in Safari Technology Preview releases, the release notes for those have - so far - included ChangeLogs referencing bugzillas.

> Will this page be updated when it happens?

No.

> If you're interested in Safari Technology Preview releases, the release notes
> for those have - so far - included ChangeLogs referencing bugzillas.


Thank you. Can I assume the reference on the release-notes[1] will be the exact (or similar) title here?

[1] https://developer.apple.com/safari/technology-preview/release-notes/

(In reply to comment #31)
> I know there is no comment on timing or content of future releases, but
> where can I subscribe/be informed when the release for OSX happens?
> 
> There will be no changelog mentioning this bug number, I assume since i did
> not see references to bug numbers in any other changelog.
> 
> Will this page be updated when it happens?
> 
> Sorry for not being familiar with the process. Feel free to just point me to
> a FAQ if there is one I failed to find.

While there is no comment on the content of future releases. I am pretty sure the fix already shipped in 10.11.5 on May 16.