Bug 206521
| Summary: | WKWebview: Unable to control HTTP Referer policy | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | sam |
| Component: | WebKit2 | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | beidson, krzysztof.modras, mjs, sam, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | iPhone / iPad | ||
| OS: | Unspecified | ||
sam
In testing we observe that WKWebview currently sends full Referers to all origins (including third-parties) on page load. This this a [known tracking a security vulnerability](https://webkit.org/blog/9521/intelligent-tracking-prevention-2-3/) that all apps using WKWebview are susceptible to. There is currently no way (that we are aware of) to override this behavior.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/58797376>
Maciej Stachowiak
Would it be satisfactory if WebKit always sent origin-only Referers, instead of exposing a policy? (Safari does this already, but I think it may be tied to ITP, perhaps unnecessarily.)
Krzysztof Jan Modras [:chrmod]
Just for reference - Firefox comes with advanced set of configuration options for referers https://wiki.mozilla.org/Security/Referrer
Most important parameters are:
- when to send (all requests, on interaction, never)
- trimming (removing path/query)
- origin control (don't send to 3rd parties)
Perhaps changing the default behaviour would be fine, but I'm not aware of all usecases. From privacy oriented web browser (like Cliqz) perspective it's definitely a way forward, but I could imagine some apps could experience breakage or may prefer to have referes. It's more for WebKit team to decide how much of general purpose tool the WKWebView should be.