Bug 188248 - service worker fetch handler results in bad referrer
Summary: service worker fetch handler results in bad referrer
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Service Workers (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: youenn fablet
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-08-01 20:41 PDT by Ben Roberts
Modified: 2019-01-08 15:06 PST (History)
11 users (show)

See Also:

Attachments
WIP (7.00 KB, patch)
2019-01-04 14:06 PST, youenn fablet 		no flags Details | Formatted Diff | Diff
Patch (7.40 KB, patch)
2019-01-04 15:39 PST, youenn fablet 		ews-watchlist: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from ews103 for mac-sierra (2.73 MB, application/zip)
2019-01-04 16:41 PST, EWS Watchlist 		no flags Details
Patch (12.62 KB, patch)
2019-01-04 17:15 PST, youenn fablet 		no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews101 for mac-sierra (2.58 MB, application/zip)
2019-01-04 18:12 PST, EWS Watchlist 		no flags Details
Archive of layout-test-results from ews106 for mac-sierra-wk2 (3.85 MB, application/zip)
2019-01-04 18:39 PST, EWS Watchlist 		no flags Details
Archive of layout-test-results from ews202 for win-future (12.86 MB, application/zip)
2019-01-04 18:53 PST, EWS Watchlist 		no flags Details
Patch (17.75 KB, patch)
2019-01-04 19:20 PST, youenn fablet 		ews-watchlist: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from ews102 for mac-sierra (2.62 MB, application/zip)
2019-01-04 21:01 PST, EWS Watchlist 		no flags Details
Archive of layout-test-results from ews125 for ios-simulator-wk2 (9.64 MB, application/zip)
2019-01-04 21:05 PST, EWS Watchlist 		no flags Details
Patch (18.66 KB, patch)
2019-01-05 19:06 PST, youenn fablet 		no flags Details | Formatted Diff | Diff
Patch (18.58 KB, patch)
2019-01-05 19:46 PST, youenn fablet 		no flags Details | Formatted Diff | Diff
Show Obsolete (11) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ben Roberts 2018-08-01 20:41:53 PDT 
Installing a service worker with any kind of fetch handler (even a "pass-through" one, as in attached demo) can cause bad referrer values to be sent for fetches which shouldn't have a referrer.  Example: external clicks, manual entering the address into the URL bar, etc. should not send any referrer.  Instead a referrer value will be sent equal to the source of the service worker file location.

This is contrary to spec https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.36

eg "The Referer field MUST NOT be sent if the Request-URI was obtained from a source that does not have its own URI, such as input from the user keyboard."

See https://passthrough-fetch-referer.glitch.me for demo.  Load in private window, refresh to see bug.
Comment 1 Radar WebKit Bug Importer 2019-01-04 10:07:28 PST 
<rdar://problem/47050478>
Comment 2 youenn fablet 2019-01-04 14:06:07 PST 
Created attachment 358364 [details]
WIP
Comment 3 youenn fablet 2019-01-04 15:39:55 PST 
Created attachment 358386 [details]
Patch
Comment 4 EWS Watchlist 2019-01-04 16:41:39 PST 
Comment on attachment 358386 [details]
Patch

Attachment 358386 [details] did not pass mac-ews (mac):
Output: https://webkit-queues.webkit.org/results/10634319

New failing tests:
http/tests/misc/object-embedding-svg-delayed-size-negotiation-2.htm
http/tests/security/referrer-policy-redirect-link.html
Comment 5 EWS Watchlist 2019-01-04 16:41:40 PST 
Created attachment 358395 [details]
Archive of layout-test-results from ews103 for mac-sierra

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-sierra  Platform: Mac OS X 10.12.6
Comment 6 youenn fablet 2019-01-04 17:15:42 PST 
Created attachment 358402 [details]
Patch
Comment 7 EWS Watchlist 2019-01-04 18:12:21 PST 
Comment on attachment 358402 [details]
Patch

Attachment 358402 [details] did not pass mac-ews (mac):
Output: https://webkit-queues.webkit.org/results/10635445

New failing tests:
http/wpt/css/css-animations/start-animation-001.html
Comment 8 EWS Watchlist 2019-01-04 18:12:23 PST 
Created attachment 358410 [details]
Archive of layout-test-results from ews101 for mac-sierra

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101  Port: mac-sierra  Platform: Mac OS X 10.12.6
Comment 9 EWS Watchlist 2019-01-04 18:39:29 PST 
Comment on attachment 358402 [details]
Patch

Attachment 358402 [details] did not pass mac-wk2-ews (mac-wk2):
Output: https://webkit-queues.webkit.org/results/10635532

New failing tests:
http/tests/security/strip-referrer-to-origin-for-third-party-redirects-in-private-mode.html
Comment 10 EWS Watchlist 2019-01-04 18:39:31 PST 
Created attachment 358416 [details]
Archive of layout-test-results from ews106 for mac-sierra-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106  Port: mac-sierra-wk2  Platform: Mac OS X 10.12.6
Comment 11 EWS Watchlist 2019-01-04 18:53:44 PST 
Comment on attachment 358402 [details]
Patch

Attachment 358402 [details] did not pass win-ews (win):
Output: https://webkit-queues.webkit.org/results/10635631

New failing tests:
js/dom/custom-constructors.html
Comment 12 EWS Watchlist 2019-01-04 18:53:55 PST 
Created attachment 358419 [details]
Archive of layout-test-results from ews202 for win-future

The attached test failures were seen while running run-webkit-tests on the win-ews.
Bot: ews202  Port: win-future  Platform: CYGWIN_NT-6.1-2.10.0-0.325-5-3-x86_64-64bit
Comment 13 youenn fablet 2019-01-04 19:20:36 PST 
Created attachment 358424 [details]
Patch
Comment 14 EWS Watchlist 2019-01-04 21:01:01 PST 
Comment on attachment 358424 [details]
Patch

Attachment 358424 [details] did not pass mac-ews (mac):
Output: https://webkit-queues.webkit.org/results/10636841

New failing tests:
http/wpt/css/css-animations/start-animation-001.html
Comment 15 EWS Watchlist 2019-01-04 21:01:03 PST 
Created attachment 358428 [details]
Archive of layout-test-results from ews102 for mac-sierra

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews102  Port: mac-sierra  Platform: Mac OS X 10.12.6
Comment 16 EWS Watchlist 2019-01-04 21:05:06 PST 
Comment on attachment 358424 [details]
Patch

Attachment 358424 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: https://webkit-queues.webkit.org/results/10636628

New failing tests:
http/tests/security/referrer-policy-redirect-link-downgrade.html
Comment 17 EWS Watchlist 2019-01-04 21:05:08 PST 
Created attachment 358429 [details]
Archive of layout-test-results from ews125 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews125  Port: ios-simulator-wk2  Platform: Mac OS X 10.13.6
Comment 18 youenn fablet 2019-01-05 19:05:37 PST 
Mac error is unrelated
iOS error is related (new test added not passing) but the sibling test which is almost the same (http/tests/security/referrer-policy-redirect-link.html) is skipped on iOS-sim (git history is not clear about why it was skipped there.
Comment 19 youenn fablet 2019-01-05 19:06:58 PST 
Created attachment 358452 [details]
Patch
Comment 20 youenn fablet 2019-01-05 19:46:42 PST 
Created attachment 358454 [details]
Patch
Comment 21 WebKit Commit Bot 2019-01-08 15:06:20 PST 
Comment on attachment 358454 [details]
Patch

Clearing flags on attachment: 358454

Committed r239749: <https://trac.webkit.org/changeset/239749>
Comment 22 WebKit Commit Bot 2019-01-08 15:06:22 PST 
All reviewed patches have been landed.  Closing bug.