Bug 228291

Summary:

Referrer-Policy not properly applying with iframe redirections

Product:

WebKit

Reporter:

Sam Sneddon [:gsnedders] <gsnedders>

Component:

Page Loading

Assignee:

Alex Christensen <achristensen>

Status:

NEW ---

Severity:

Normal

CC:

achristensen, beidson, bfulgham, cdumez, ews-watchlist, japhet, webkit-bug-importer, wilander

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

Unspecified

OS:

Unspecified

URL:

http://wpt.live/referrer-policy/gen/top.http-rp/same-origin/iframe-tag.http.html

Attachments:

Description	Flags
Patch	ews-feeder: commit-queue-

Description Sam Sneddon [:gsnedders] 2021-07-26 12:07:08 PDT

wpt.fyi shows a variety of iframe-related failures:

https://wpt.fyi/results/referrer-policy/gen?label=master&label=experimental&product=chrome&product=firefox&product=webkitgtk&aligned&q=count%3A2%28status%3Apass%29%20none%28status%3Amissing%7Cstatus%3Anotrun%29%20%21sharedworker

(using WebKitGTK as it contains more recent fixes in this area than the latest STP run)

Essentially, regardless of where the policy is specified, we fail to apply a policy on redirection from same (HTTP, not HTTPS) origin, and hence end up sending the Referrer when we shouldn't.

Comment 1 Alex Christensen 2021-07-28 17:06:15 PDT

Created attachment 434478 [details]
Patch

Comment 2 Alex Christensen 2021-07-28 17:44:49 PDT

Comment on attachment 434478 [details]
Patch

This also breaks several other tests.  This isn't quite right.

Comment 3 Alex Christensen 2021-07-28 19:12:39 PDT

SubresourceLoader::checkRedirectionCrossOriginAccessControl is also a good place to look around

Comment 4 Radar WebKit Bug Importer 2021-08-02 12:08:28 PDT

<rdar://problem/81423168>