Bug 193502

Summary: ITP 2.0 breaks legitimate use-case: Django password reset
Product: WebKit Reporter: René Fleschenberg <rene>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: bfulgham, jefferbo, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   

Description René Fleschenberg 2019-01-16 11:59:06 PST 
Hi all.

On its password reset page, Django (https://www.djangoproject.com/) does an
internal redirect to avoid leaking the password reset token via the referer
header. This does not seem to work with recent Safari versions if there is an
additional prior redirect by a third party.

In my case, users who use Safari in combination with Gmail are unable to use
the password reset feature. The password reset links I send to my users do not
point at any kind of tracker / redirect, but I suspect that Gmail replaces
those links with links to some kind of redirect service. But still, if I
understand https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/
correctly, in this situation ITP should not kick in? But it seems to do so 
nonetheless.

Ticket on the Django bugtracker: https://code.djangoproject.com/ticket/29975

Discussion on the django-developers ML:
https://groups.google.com/forum/#!topic/django-developers/RyDdt1TcH0c
Comment 1 Radar WebKit Bug Importer 2019-01-16 23:37:28 PST 
<rdar://problem/47342711>