iOS Safari Referrer-Policy verification

server.js

// Run with $ node server.js
var http = require('http');

var server = http.createServer(function (req, res) {
    referrerPolicy = "strict-origin-when-cross-origin"; // Replace with corresponding test value
    res.writeHead(200, { 'Content-Type': 'text/html', 'Referrer-Policy': referrerPolicy });
    res.write('<html><body>');
    res.write('<h1>Test page</h1>');
    res.write('<ul>');
    res.write('<li><a href="https://github.com">Cross-origin request</a></li>');
    res.write('<li><a href="http://github.com">Cross-origin request (downgrade)</a></li>');
    res.write('<li><a href="https://2b273f2cc10b.ngrok.io">Same-origin request</a></li>');
    res.write('<li><a href="http://2b273f2cc10b.ngrok.io">Same-origin request (downgrade)</a></li>');
    res.write('</ul>');
    res.write('</body></html>');
    res.end();
});

test_protocol.md

Test protocol

• Environment: Safari on iOS 14.4.2 in default settings
• Connected via Web Inspector: https://www.browserstack.com/guide/how-to-debug-on-iphone

Findings

Default referrer policy (no header sent):

• HTTPS -> HTTPS cross-origin request -> Referer: https://2b273f2cc10b.ngrok.io/test.html?q=test
• HTTPS -> HTTP cross-origin request -> no referrer transmitted
• HTTPS -> HTTPS same-origin request -> Referer: https://2b273f2cc10b.ngrok.io/test.html?q=test
• HTTPS -> HTTP same-origin request -> no referrer transmitted

Interpretation: Seems to default to no-referrer-when-downgrade, not strict-origin-when-cross-origin

no-referrer

• HTTPS -> HTTPS cross-origin request -> no referrer transmitted
• HTTPS -> HTTP cross-origin request -> no referrer transmitted
• HTTPS -> HTTPS same-origin request -> no referrer transmitted
• HTTPS -> HTTP same-origin request -> no referrer transmitted

Interpretation: expectations met

no-referrer-when-downgrade

• HTTPS -> HTTPS cross-origin request -> Referer: https://2b273f2cc10b.ngrok.io/test.html?q=test
• HTTPS -> HTTP cross-origin request -> no referrer transmitted
• HTTPS -> HTTPS same-origin request -> Referer: https://2b273f2cc10b.ngrok.io/test.html?q=test
• HTTPS -> HTTP same-origin request -> no referrer transmitted Interpretation: expectations met

origin

• HTTPS -> HTTPS cross-origin request -> Referer: https://2b273f2cc10b.ngrok.io/
• HTTPS -> HTTP cross-origin request -> Referer: https://2b273f2cc10b.ngrok.io/
• HTTPS -> HTTPS same-origin request -> Referer: https://2b273f2cc10b.ngrok.io/
• HTTPS -> HTTP same-origin request -> Referer: https://2b273f2cc10b.ngrok.io/ Interpretation: expectations met

origin-when-cross-origin

• HTTPS -> HTTPS cross-origin request -> Referer: https://2b273f2cc10b.ngrok.io/
• HTTPS -> HTTP cross-origin request -> Referer: https://2b273f2cc10b.ngrok.io/
• HTTPS -> HTTPS same-origin request -> Referer: https://2b273f2cc10b.ngrok.io/test.html?q=test
• HTTPS -> HTTP same-origin request -> Referer: https://2b273f2cc10b.ngrok.io/ Interpretation: expectations met

same-origin

• HTTPS -> HTTPS cross-origin request -> no referrer transmitted
• HTTPS -> HTTP cross-origin request -> no referrer transmitted
• HTTPS -> HTTPS same-origin request -> Referer: https://2b273f2cc10b.ngrok.io/test.html?q=test
• HTTPS -> HTTP same-origin request -> no referrer transmitted

Interpretation: expectations met

strict-origin

• HTTPS -> HTTPS cross-origin request -> Referer: https://2b273f2cc10b.ngrok.io/
• HTTPS -> HTTP cross-origin request -> no referrer transmitted
• HTTPS -> HTTPS same-origin request -> Referer: https://2b273f2cc10b.ngrok.io/
• HTTPS -> HTTP same-origin request -> no referrer transmitted

Interpretation: expectations met

strict-origin-when-cross-origin

• HTTPS -> HTTPS cross-origin request -> Referer: https://2b273f2cc10b.ngrok.io/
• HTTPS -> HTTP cross-origin request -> no referrer transmitted
• HTTPS -> HTTPS same-origin request -> Referer: https://2b273f2cc10b.ngrok.io/test.html?q=test
• HTTPS -> HTTP same-origin request -> no referrer transmitted

Interpretation: expectations met

unsafe-url

• HTTPS -> HTTPS cross-origin request -> Referer: https://2b273f2cc10b.ngrok.io/test.html?q=test
• HTTPS -> HTTP cross-origin request -> Referer: https://2b273f2cc10b.ngrok.io/test.html?q=test
• HTTPS -> HTTPS same-origin request -> Referer: https://2b273f2cc10b.ngrok.io/test.html?q=test
• HTTPS -> HTTP same-origin request -> Referer: https://2b273f2cc10b.ngrok.io/test.html?q=test

Interpretation: expectations met