NEW206521
WKWebview: Unable to control HTTP Referer policy 
https://bugs.webkit.org/show_bug.cgi?id=206521
Summary WKWebview: Unable to control HTTP Referer policy
sam
Reported 2020-01-21 02:18:44 PST
In testing we observe that WKWebview currently sends full Referers to all origins (including third-parties) on page load. This this a [known tracking a security vulnerability](https://webkit.org/blog/9521/intelligent-tracking-prevention-2-3/) that all apps using WKWebview are susceptible to. There is currently no way (that we are aware of) to override this behavior.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-01-22 08:26:41 PST
<rdar://problem/58797376>
Maciej Stachowiak
Comment 2 2020-02-19 00:16:22 PST
Would it be satisfactory if WebKit always sent origin-only Referers, instead of exposing a policy? (Safari does this already, but I think it may be tied to ITP, perhaps unnecessarily.)
Krzysztof Jan Modras [:chrmod]
Comment 3 2020-02-19 01:43:33 PST
Just for reference - Firefox comes with advanced set of configuration options for referers https://wiki.mozilla.org/Security/Referrer Most important parameters are: - when to send (all requests, on interaction, never) - trimming (removing path/query) - origin control (don't send to 3rd parties) Perhaps changing the default behaviour would be fine, but I'm not aware of all usecases. From privacy oriented web browser (like Cliqz) perspective it's definitely a way forward, but I could imagine some apps could experience breakage or may prefer to have referes. It's more for WebKit team to decide how much of general purpose tool the WKWebView should be.
Note You need to log in before you can comment on or make changes to this bug.