Bug 228291 - Referrer-Policy not properly applying with iframe redirections
Summary: Referrer-Policy not properly applying with iframe redirections
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Alex Christensen
URL: http://wpt.live/referrer-policy/gen/t...
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-07-26 12:07 PDT by Sam Sneddon [:gsnedders]
Modified: 2021-08-02 12:08 PDT (History)
8 users (show)

See Also:

Attachments
Patch (2.29 KB, patch)
2021-07-28 17:06 PDT, Alex Christensen 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam Sneddon [:gsnedders] 2021-07-26 12:07:08 PDT 
wpt.fyi shows a variety of iframe-related failures:

https://wpt.fyi/results/referrer-policy/gen?label=master&label=experimental&product=chrome&product=firefox&product=webkitgtk&aligned&q=count%3A2%28status%3Apass%29%20none%28status%3Amissing%7Cstatus%3Anotrun%29%20%21sharedworker

(using WebKitGTK as it contains more recent fixes in this area than the latest STP run)

Essentially, regardless of where the policy is specified, we fail to apply a policy on redirection from same (HTTP, not HTTPS) origin, and hence end up sending the Referrer when we shouldn't.
Comment 1 Alex Christensen 2021-07-28 17:06:15 PDT 
Created attachment 434478 [details]
Patch
Comment 2 Alex Christensen 2021-07-28 17:44:49 PDT 
Comment on attachment 434478 [details]
Patch

This also breaks several other tests.  This isn't quite right.
Comment 3 Alex Christensen 2021-07-28 19:12:39 PDT 
SubresourceLoader::checkRedirectionCrossOriginAccessControl is also a good place to look around
Comment 4 Radar WebKit Bug Importer 2021-08-02 12:08:28 PDT 
<rdar://problem/81423168>