I have a website, www.a.com
In that website, I serve a page at https://www.a.com/mypage that contains this:
<script src='https://www.b.com/anotherpage'></script>
If I visit from every browser, b.com will receive this as http referrer:
https://www.a.com/mypage
However, if I visit from Safari mobile or desktop, the referrer becomes:
https://www.a.com/
Why? How can I force Safari to send the full referrer?
Example:
from Safari, b.com logs:
123.45.678.901 - - [06/Jun/2020:00:32:03 +0200] "GET /anotherpage/ HTTP/1.1" 200 0 "https://www.a.com/" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Mobile/15E148 Safari/604.1"
from another browser:
123.45.678.901 - - [06/Jun/2020:00:31:34 +0200] "GET /anotherpage/ HTTP/1.1" 200 0 "https://www.a.com/mypage/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
I've tried adding this:
<meta name="referrer" content="unsafe-url">
or this
<meta name="referrer" content="always">
to the <head> of https://www.a.com/mypage but to no avail.
The incorrect behaviour in Safari (referrer being set to the domain only, without the URI), pertains to the fact that Prevent cross-site tracking is enabled.
Setting:
<meta name="referrer" content="no-referrer-when-downgrade">
<meta http-equiv='Referrer-Policy' content='no-referrer-when-downgrade'>
or setting referrerPolicy="no-referrer-when-downgrade" on the element (iframe, script tag, etc)
does not affect it.
See https://www.arcolatheatre.com/disable-prevent-cross-site-tracking/
Hope this helps someone,