There's a pending PR to the referrer policy spec (https://github.com/w3c/webappsec-referrer-policy/pull/142) which changes the default policy to strict-origin-when-cross-origin. This truncates requests' referrers to (at most) their origins on all cross-origin requests that do not explicitly set more permissive policies. As part of the standard process of landing a spec PR, I'm filing this umbrella feature request/tracking bug to keep track of (intentional and unintentional) differences between WebKit and the standardized behavior in these cases.
<rdar://problem/71468395>
FYI, https://github.com/w3c/webappsec-referrer-policy/pull/142 has now merged.
The only significant difference I'm aware of is in http://wpt.live/referrer-policy/gen/top.http-rp/unset/a-tag.http.html, where WebKit w. ITP enabled sends the full referrer given it uses effectively an eTLD+1-based policy.
I think all we need to do here is change our default referrer policy, and then we can drop the resource-load-statistics specific code, so let's just change the title to correspond to that.
Ah, no, that's not true. Because unsafe-url and no-referrer-when-downgrade still need the same-site behaviour. Sorry for the noise!
Note that ITP downgrades referrers *regardless* of any site policy wanting a more leaky referrer. That is the intended behavior so itβs not just about default policy.
Created attachment 433493 [details] Patch
Comment on attachment 433493 [details] Patch r- due to missing tests rebaselines in this patch and EWS bubbles being red.
Created attachment 433577 [details] Patch
Created attachment 433598 [details] Patch
Created attachment 433669 [details] Patch
Comment on attachment 433669 [details] Patch r=me
Committed r280081 (239807@main): <https://commits.webkit.org/239807@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 433669 [details].