Closed Bug 1648166 Opened 4 years ago Closed 4 years ago

document.referrer of iframe is different if top level URL contains fbclid

Categories

(Core :: Privacy: Anti-Tracking, defect)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
77 Branch
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: elliott, Unassigned)

References

(Regression)

Details

(Keywords: parity-chrome, regression)

Attachments

(3 files)

screenshot of console showing error while attempting to postMessage parent
5.85 KB, image/gif
Details
outer_frame.html
148 bytes, text/html
Details
inner_frame.html
148 bytes, text/html
Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0

Steps to reproduce:

In a JavaScript file within an iframe, console.log the document.referrer from within the iframe

Actual results:

logging document.referrer returns a different string if fbclid is included in the top level URL

Expected results:

document.referrer should represent the document referrer regardles of the url

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core

Reproducible with the attached pages, requires running a web server (e.g. python -m SimpleHTTPServer).

The problem isn't specific to "fbclid", it also doesn't work for other key-value pairs.

Chrome doesn't drop the key-value pairs.

Can reproduce by navigating to https://software.hixie.ch/utilities/js/live-dom-viewer/?fbclid and then pasting <iframe srcdoc="<script>alert(document.referrer)</script>"> into the text field containing fbclid. (It alerts the site even, not the origin. Doesn't happen for other strings, such as fbcli.)

Flags: needinfo?(jhofmann)

It seems Johann will be away for a longer time. ni?'ing Gary additionally.

Flags: needinfo?(xeonchen)

It seems this was intentional per bug 1568341, though it's rather surprising as it's not standardized and returning the site (instead of origin) isn't part of Referrer Policy.

It also doesn't seem sufficient as a mitigation as the Referer header still includes the full URL.

Component: DOM: Core & HTML → Privacy: Anti-Tracking
Flags: needinfo?(xeonchen)
Flags: needinfo?(senglehardt)
Flags: needinfo?(jhofmann)
Regressed by: 1568341
Has Regression Range: --- → yes

Thanks for the report. As Anne said this is intentional as part of our tracking protection. I filed Bug 1648622 to capture two possible enhancements to the protection. In particular, switching our trimming from eTLD+1 to origin seems like it would fix the issues Comment 0 is running into and wouldn't relax the protections.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(senglehardt)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: