WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
NEW
169846
Safari does not send HTTP_REFERER from iframe injected into parent iframe that has no src attribute
https://bugs.webkit.org/show_bug.cgi?id=169846
Summary
Safari does not send HTTP_REFERER from iframe injected into parent iframe tha...
Adam Podolnick
Reported
2017-03-18 10:15:36 PDT
Safari / WebKit doesn't send the HTTP_REFERER header when loading an iframe that has been injected into a parent iframe that has no src attribute. This seems to be an issue unique to Safari. Chrome, Firefox, IE, Edge, Opera and Yandex all send the HTTP_REFERER header. Steps to reproduce: 1) I set up a test case here:
https://sproutvideo-examples.s3.amazonaws.com/iframe_problem.html
. This page displays the request headers. Expected Results: The browser should send the HTTP_REFERER header with the request and the test case should display
https://sproutvideo-examples.s3.amazonaws.com/iframe_problem.html
as the HTTP_REFERER. Actual Results: The browser does not send the HTTP_REFERER header. Platform: All versions of Safari on all operating systems. Other Platforms: Every single browser (IE, Edge, Firefox, Chrome, Opera, Yandex) going back many versions and operating systems (Windows, MacOS/OSX, iOS, Android, etc) also going back several versions, behaves as expected and sends the HTTP_REFERER
Attachments
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2017-03-19 13:54:13 PDT
<
rdar://problem/31137534
>
Adam Podolnick
Comment 2
2021-04-06 10:14:13 PDT
Just checking in. It's been 4 years, and this still is broken in the current version of Safari. Is there any chance someone will take a look at this?
Adam Podolnick
Comment 3
2025-05-29 10:38:46 PDT
Incredibly, this is still broken another 4 years later. Please fix this!
Jeremy Massel
Comment 4
2025-11-17 09:40:23 PST
YouTube is now enforcing the referrer requirements in
https://developers.google.com/youtube/terms/revision-history#july-7,-2025
, causing every WordPress site's editor to display an error in Safari.
https://github.com/WordPress/gutenberg/issues/73288
lars.kuhnt
Comment 5
2026-03-31 06:10:37 PDT
I think Safari orders the referrer policy in a different way than other browsers so. If your page has e.g. <meta name="referrer" content="no-referrer" /> the iframe attribute referrerpolicy="strict-origin-when-cross-origin" is ignored and the referrer is not sent in iframe requests. The page meta tag needs to define <meta name="referrer" content="strict-origin-when-cross-origin" /> to allow referrer headers in iframe requests.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug