Bug 263072

Summary: No "referer" header when iframe url set with location.replace
Product: WebKit Reporter: Arthur Schwaiger <arthur.schwaiger>
Component: FramesAssignee: sideshowbarker <mike>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, ahmad.saleem792, annevk, cdumez, karlcow, mike, webkit-bug-importer
Priority: P2 Keywords: BrowserCompat, InRadar
Version: Safari 17   
Hardware: All   
OS: All   
See Also: https://github.com/web-platform-tests/wpt/pull/42742
https://github.com/web-platform-tests/wpt/pull/42877
Attachments:
Description Flags
result of the minimal reproducible example none

Description Arthur Schwaiger 2023-10-12 07:50:12 PDT
Created attachment 468188 [details]
result of the minimal reproducible example

Hi WebKit team,

When using location.replace to set the URL of an iframe (instead of the classic "src" attribute), the "referer" in the iframe request is not set.

All other major browsers (Chrome, Firefox, Edge) properly set the "referer" with both location.replace and src attribute.

This has major impact on our service where our providers *need* this referer header.

We have a minimal reproducible example here.
It's a simple iframe where the URL is set with location.replace, and a Node.js backend which returns the request's referer.

You can see the result in the screenshot: all browsers except Safari return the referer. For safari, it's undefined.

HTML:
```
<iframe id="myIframe"></iframe>
<script>
  var myIframe = document.getElementById("myIframe");
  myIframe.contentWindow.location.replace("http://localhost:3000");
</script>
```

Node.js Server (Express):
```
const express = require("express");
const app = express();

app.use((req, res) => {
  const referer = req.headers.referer;
  res.send(`Referer: ${referer}`);
});

app.listen(3000, () => {
  console.log("Server listening on port 3000");
});
```


I'm available if you need any more information.

Thank you for your help !

Best regards,

Arthur Schwaiger
Comment 1 Ahmad Saleem 2023-10-12 08:21:54 PDT
Hi Arthur, can you attach simple reproducible test case or webpage for testing purposes?
Comment 2 sideshowbarker 2023-10-12 22:49:56 PDT
I’ve written a WPT test for this and I can confirm that the test passes in Firefox and Chrome but fails in Safari. The test files are here:

- https://github.com/web-platform-tests/wpt/blob/sideshowbarker/location-replace-from-iframe/html/browsers/history/the-location-interface/location-replace-from-iframe.sub.html

- https://github.com/web-platform-tests/wpt/blob/sideshowbarker/location-replace-from-iframe/html/browsers/history/the-location-interface/resources/iframe-contents.sub.html

I’ll investigate today, and if I can find a fix, I’ll open a PR with a patch for the fix, and with the WPT tests.
Comment 3 sideshowbarker 2023-10-15 02:57:05 PDT
Pull request: https://github.com/WebKit/WebKit/pull/19093
Comment 4 Radar WebKit Bug Importer 2023-10-19 07:51:12 PDT
<rdar://problem/117205761>
Comment 5 sideshowbarker 2023-10-25 02:29:46 PDT
Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/42742
Comment 6 sideshowbarker 2023-10-31 16:15:36 PDT
Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/42877
Comment 7 EWS 2023-11-14 19:00:25 PST
Committed 270741@main (1350b5914d01): <https://commits.webkit.org/270741@main>

Reviewed commits have been landed. Closing PR #19093 and removing active labels.