Created attachment 172412 [details]
Chrome Canary 25.0.1317.0 - FAIL
Webkit Nightly 6.0.2 (7536.26.17, 537+) - FAIL
Firefox 16.0.2 - PASS
1) Run the attached test.html with the web inspector open.
2) Click the Network tab and click icon-gold.png.
The HTTP REFERER header is sent when requesting the image.
Notice that the HTTP REFERER header isn't sent when requesting the image. This is because the iframe doesn't have a 'src' attribute. However, the iframe is created and written into by the parent page, so it should send the parent page's REFERER.
This breaks sites that need to use a local iframe to sandbox css styles, and that iframe also loads external content that relies on HTTP REFERER.
What is a "local" iframe?
I thought I checked all these cases and made us match Firefox, but it sounds like I missed this one. Thanks for the report.
"Local iframe": an empty iframe without the 'src' attribute. E.g.:
var iframe = document.querySelector('iframe');
I can confirm that IE 9 and 10 also set the HTTP Referer header properly in this use case.
This is a particular problem for anyone using the WordPress Theme Customizer (which uses a src-less, dynamic iframe) in conjunction with any authenticated requests that rely on the Referer (eg Typekit) inside that iframe.
Cross filed for Blink at https://code.google.com/p/chromium/issues/detail?id=226858