NEW169846
Safari does not send HTTP_REFERER from iframe injected into parent iframe that has no src attribute 
https://bugs.webkit.org/show_bug.cgi?id=169846
Summary Safari does not send HTTP_REFERER from iframe injected into parent iframe tha...
Adam Podolnick
Reported 2017-03-18 10:15:36 PDT
Safari / WebKit doesn't send the HTTP_REFERER header when loading an iframe that has been injected into a parent iframe that has no src attribute. This seems to be an issue unique to Safari. Chrome, Firefox, IE, Edge, Opera and Yandex all send the HTTP_REFERER header. Steps to reproduce: 1) I set up a test case here: https://sproutvideo-examples.s3.amazonaws.com/iframe_problem.html . This page displays the request headers. Expected Results: The browser should send the HTTP_REFERER header with the request and the test case should display https://sproutvideo-examples.s3.amazonaws.com/iframe_problem.html as the HTTP_REFERER. Actual Results: The browser does not send the HTTP_REFERER header. Platform: All versions of Safari on all operating systems. Other Platforms: Every single browser (IE, Edge, Firefox, Chrome, Opera, Yandex) going back many versions and operating systems (Windows, MacOS/OSX, iOS, Android, etc) also going back several versions, behaves as expected and sends the HTTP_REFERER
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2017-03-19 13:54:13 PDT
<rdar://problem/31137534>
Adam Podolnick
Comment 2 2021-04-06 10:14:13 PDT
Just checking in. It's been 4 years, and this still is broken in the current version of Safari. Is there any chance someone will take a look at this?
Adam Podolnick
Comment 3 2025-05-29 10:38:46 PDT
Incredibly, this is still broken another 4 years later. Please fix this!
Jeremy Massel
Comment 4 2025-11-17 09:40:23 PST
YouTube is now enforcing the referrer requirements in https://developers.google.com/youtube/terms/revision-history#july-7,-2025, causing every WordPress site's editor to display an error in Safari. https://github.com/WordPress/gutenberg/issues/73288
lars.kuhnt
Comment 5 2026-03-31 06:10:37 PDT
I think Safari orders the referrer policy in a different way than other browsers so. If your page has e.g. <meta name="referrer" content="no-referrer" /> the iframe attribute referrerpolicy="strict-origin-when-cross-origin" is ignored and the referrer is not sent in iframe requests. The page meta tag needs to define <meta name="referrer" content="strict-origin-when-cross-origin" /> to allow referrer headers in iframe requests.
Note You need to log in before you can comment on or make changes to this bug.