Bug 263072 - No "referer" header when iframe url set with location.replace
Summary: No "referer" header when iframe url set with location.replace
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Frames (show other bugs)
Version: Safari 17
Hardware: All All
: P2 Normal
Assignee: sideshowbarker
URL:
Keywords: BrowserCompat, InRadar
Depends on:
Blocks:
 
Reported: 2023-10-12 07:50 PDT by Arthur Schwaiger
Modified: 2023-11-14 19:00 PST (History)
7 users (show)

See Also:

Attachments
result of the minimal reproducible example (689.18 KB, image/png)
2023-10-12 07:50 PDT, Arthur Schwaiger 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arthur Schwaiger 2023-10-12 07:50:12 PDT 
Created attachment 468188 [details]
result of the minimal reproducible example

Hi WebKit team,

When using location.replace to set the URL of an iframe (instead of the classic "src" attribute), the "referer" in the iframe request is not set.

All other major browsers (Chrome, Firefox, Edge) properly set the "referer" with both location.replace and src attribute.

This has major impact on our service where our providers *need* this referer header.

We have a minimal reproducible example here.
It's a simple iframe where the URL is set with location.replace, and a Node.js backend which returns the request's referer.

You can see the result in the screenshot: all browsers except Safari return the referer. For safari, it's undefined.

HTML:
```
<iframe id="myIframe"></iframe>
<script>
  var myIframe = document.getElementById("myIframe");
  myIframe.contentWindow.location.replace("http://localhost:3000");
</script>
```

Node.js Server (Express):
```
const express = require("express");
const app = express();

app.use((req, res) => {
  const referer = req.headers.referer;
  res.send(`Referer: ${referer}`);
});

app.listen(3000, () => {
  console.log("Server listening on port 3000");
});
```


I'm available if you need any more information.

Thank you for your help !

Best regards,

Arthur Schwaiger
Comment 1 Ahmad Saleem 2023-10-12 08:21:54 PDT 
Hi Arthur, can you attach simple reproducible test case or webpage for testing purposes?
Comment 2 sideshowbarker 2023-10-12 22:49:56 PDT 
I’ve written a WPT test for this and I can confirm that the test passes in Firefox and Chrome but fails in Safari. The test files are here:

- https://github.com/web-platform-tests/wpt/blob/sideshowbarker/location-replace-from-iframe/html/browsers/history/the-location-interface/location-replace-from-iframe.sub.html

- https://github.com/web-platform-tests/wpt/blob/sideshowbarker/location-replace-from-iframe/html/browsers/history/the-location-interface/resources/iframe-contents.sub.html

I’ll investigate today, and if I can find a fix, I’ll open a PR with a patch for the fix, and with the WPT tests.
Comment 3 sideshowbarker 2023-10-15 02:57:05 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/19093
Comment 4 Radar WebKit Bug Importer 2023-10-19 07:51:12 PDT 
<rdar://problem/117205761>
Comment 5 sideshowbarker 2023-10-25 02:29:46 PDT 
Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/42742
Comment 6 sideshowbarker 2023-10-31 16:15:36 PDT 
Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/42877
Comment 7 EWS 2023-11-14 19:00:25 PST 
Committed 270741@main (1350b5914d01): <https://commits.webkit.org/270741@main>

Reviewed commits have been landed. Closing PR #19093 and removing active labels.