Bug 263072

Summary: No "referer" header when iframe url set with location.replace
Product: WebKit Reporter: Arthur Schwaiger <arthur.schwaiger>
Component: FramesAssignee: sideshowbarker <mike>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, ahmad.saleem792, annevk, benjamin.bronsart, cdumez, karlcow, mike, webkit-bug-importer
Priority: P2 Keywords: BrowserCompat, InRadar
Version: Safari 17   
Hardware: All   
OS: All   
See Also: https://github.com/web-platform-tests/wpt/pull/42742
https://github.com/web-platform-tests/wpt/pull/42877
Attachments:
Description Flags
result of the minimal reproducible example none

Arthur Schwaiger
Reported 2023-10-12 07:50:12 PDT
Created attachment 468188 [details] result of the minimal reproducible example Hi WebKit team, When using location.replace to set the URL of an iframe (instead of the classic "src" attribute), the "referer" in the iframe request is not set. All other major browsers (Chrome, Firefox, Edge) properly set the "referer" with both location.replace and src attribute. This has major impact on our service where our providers *need* this referer header. We have a minimal reproducible example here. It's a simple iframe where the URL is set with location.replace, and a Node.js backend which returns the request's referer. You can see the result in the screenshot: all browsers except Safari return the referer. For safari, it's undefined. HTML: ``` <iframe id="myIframe"></iframe> <script> var myIframe = document.getElementById("myIframe"); myIframe.contentWindow.location.replace("http://localhost:3000"); </script> ``` Node.js Server (Express): ``` const express = require("express"); const app = express(); app.use((req, res) => { const referer = req.headers.referer; res.send(`Referer: ${referer}`); }); app.listen(3000, () => { console.log("Server listening on port 3000"); }); ``` I'm available if you need any more information. Thank you for your help ! Best regards, Arthur Schwaiger
Attachments
result of the minimal reproducible example (689.18 KB, image/png)
2023-10-12 07:50 PDT, Arthur Schwaiger 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Ahmad Saleem
Comment 1 2023-10-12 08:21:54 PDT
Hi Arthur, can you attach simple reproducible test case or webpage for testing purposes?
sideshowbarker
Comment 2 2023-10-12 22:49:56 PDT
I’ve written a WPT test for this and I can confirm that the test passes in Firefox and Chrome but fails in Safari. The test files are here: - https://github.com/web-platform-tests/wpt/blob/sideshowbarker/location-replace-from-iframe/html/browsers/history/the-location-interface/location-replace-from-iframe.sub.html - https://github.com/web-platform-tests/wpt/blob/sideshowbarker/location-replace-from-iframe/html/browsers/history/the-location-interface/resources/iframe-contents.sub.html I’ll investigate today, and if I can find a fix, I’ll open a PR with a patch for the fix, and with the WPT tests.
sideshowbarker
Comment 3 2023-10-15 02:57:05 PDT
Pull request: https://github.com/WebKit/WebKit/pull/19093
Radar WebKit Bug Importer
Comment 4 2023-10-19 07:51:12 PDT
<rdar://problem/117205761>
sideshowbarker
Comment 5 2023-10-25 02:29:46 PDT
Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/42742
sideshowbarker
Comment 6 2023-10-31 16:15:36 PDT
Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/42877
EWS
Comment 7 2023-11-14 19:00:25 PST
Committed 270741@main (1350b5914d01): <https://commits.webkit.org/270741@main> Reviewed commits have been landed. Closing PR #19093 and removing active labels.
Arthur Schwaiger
Comment 8 2025-02-18 01:20:27 PST
Hi, Sorry to re-open this one, but I just wanted to have more informations about the release of this bug. The bug was closed on November 2023 but the bug is still there in Safari 18.3 (February 2025). Is it still not released yet (would be surprising after more than a year) or the fix did not really fixed the original issue ? (you can test the original code in my first post, still not working on Safari). I'm sure I'm missing something here.
Karl Dubost
Comment 9 2025-02-18 04:06:41 PST
hmm good catch. I will check what happened there. Thanks for the heads up.
Karl Dubost
Comment 10 2025-02-18 04:58:47 PST
https://searchfox.org/wubkat/rev/ee370941fdb4641acbb062969074210db0d29d58/Source/WebCore/page/LocalDOMWindow.cpp#2486-2490 ```cpp RefPtr localParent = dynamicDowncast<LocalFrame>(frame->tree().parent()); // If the loader for activeWindow's frame (browsing context) has no outgoing referrer, set its outgoing referrer // to the URL of its parent frame's Document. if (RefPtr activeFrame = activeWindow.frame(); activeFrame && activeFrame->loader().outgoingReferrer().isEmpty() && localParent) activeFrame->loader().setOutgoingReferrer(protectedDocument()->completeURL(localParent->document()->url().strippedForUseAsReferrer().string)); ``` Mike Smith's commit was modified by: https://searchfox.org/wubkat/diff/88f5d6430abe12164eec7acf3a0993ef1ec67d0a/Source/WebCore/page/LocalDOMWindow.cpp#2473 ``` - activeFrame->loader().setOutgoingReferrer(protectedDocument()->completeURL(localParent->document()->url().strippedForUseAsReferrer())); + activeFrame->loader().setOutgoingReferrer(protectedDocument()->completeURL(localParent->document()->url().strippedForUseAsReferrer().string)); ``` But that is not substantive. So maybe Mike's commit didn't fix it. hmmm…
Benjamin Bronsart
Comment 11 2025-04-28 00:26:49 PDT
Hello, Do you have any news about this ? I'm impacted by a similar issue. Thanks,
Note You need to log in before you can comment on or make changes to this bug.