I've tested how Safari sends a referrer for cross-site requests. The following post mentions that Safari sends a referrer downgraded to its origin for all cross-site requests. > ITP now downgrades all cross-site request referrer headers to just the page’s origin. https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/ So, I've tested with two sites that are created on glitch.me. glitch.me is registered in the Public Suffix List, so I guess that the referrer for a request between the two sites is its origin, not full URL. https://publicsuffix.org/list/public_suffix_list.dat But the Referer header was the full URL, not the origin. You can test it like this. - Navigate https://referrer-a.glitch.me/referrer-a - Open Network Panel - Click Navigate Referrer B - Check the Referer header for a request to https://referrer-b.glitch.me/referrer-b Expected Referer Header: https://referrer-a.glitch.me Actual Referer Header: https://referrer-a.glitch.me/referrer-a. The cross-site that the blog post mentioned is eTLD+1, isn't it? https://web.dev/same-site-same-origin/
<rdar://problem/66903413>
This doesn't reproduce in the above case on ToT, but purely because the default referrer-policy is now strict-origin-when-cross-origin. glitch.me has been in the version of the PSL we've shipped for a long time (Catalina at least shipped with it there, not checked further back), so I'm not sure why ITP isn't stripping the referrer in this case. John?