问题
I have a website, www.a.com
In that website, I serve a page at https://www.a.com/mypage that contains this:
<script src='https://www.b.com/anotherpage'></script>
If I visit from every browser, b.com will receive this as http referrer:
https://www.a.com/mypage
However, if I visit from Safari mobile or desktop, the referrer becomes:
https://www.a.com/
Why? How can I force Safari to send the full referrer?
Example:
from Safari, b.com logs:
123.45.678.901 - - [06/Jun/2020:00:32:03 +0200] "GET /anotherpage/ HTTP/1.1" 200 0 "https://www.a.com/" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Mobile/15E148 Safari/604.1"
from another browser:
123.45.678.901 - - [06/Jun/2020:00:31:34 +0200] "GET /anotherpage/ HTTP/1.1" 200 0 "https://www.a.com/mypage/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
I've tried adding this:
<meta name="referrer" content="unsafe-url">
or this
<meta name="referrer" content="always">
to the <head> of https://www.a.com/mypage but to no avail.
回答1:
The incorrect behaviour in Safari (referrer being set to the domain only, without the URI), pertains to the fact that Prevent cross-site tracking is enabled.
Setting:
<meta name="referrer" content="no-referrer-when-downgrade">
<meta http-equiv='Referrer-Policy' content='no-referrer-when-downgrade'>
or setting referrerPolicy="no-referrer-when-downgrade" on the element (iframe, script tag, etc)
does not affect it.
See https://www.arcolatheatre.com/disable-prevent-cross-site-tracking/
Hope this helps someone,
回答2:
The value that is sent as the Referer header is determined by the Referrer Policy in effect for a given request. The chosen policy can come from a browser default, a HTTP header, a meta tag, or an attribute on the individual tag.
The difference you're seeing is probably because browsers are moving from a default of no-referrer-when-downgrade (which would show the full path in your case) to strict-origin-when-cross-origin (which wouldn't, since it's a cross-origin request). Safari has presumably made that change while the others you tested haven't. (But note that Chrome will be adopting the new default in version 85).
Your attempt to use the meta tag should work, so if it doesn't, something might be interfering. You could try using one of the other mechanisms, like a Referrer-Policy header or a <meta http-equiv='Referrer-Policy' content='no-referrer-when-downgrade'> tag. Unfortunately, according to MDN Safari doesn't support the referrerpolicy attribute on the script tag.
回答3:
You can't display the complete URL from your website confirguration/header. Now it is a configuration of your web browser.
This is not a newest behavior, since 2014 apple is preventing to display url addresses can be bloated with incomprehensible text
You can take this references: Next Safari for Mac hides full Web addresses
Now, that is the "normal" behavior for Safari for iOS devices and Macs, but that doesn't means you can't disable it. If you want it, you can show full url's, you can go to Safari > Preferences > Advacned > Select Show full website address.
You can take this as a reference:
How to Show the Full Website URL in Safari for Mac OS
How to Stop Safari From Hiding URL's
How to See the Entire URL in Safari's Address Bar
来源:https://stackoverflow.com/questions/62225068/safari-mobile-and-desktop-are-hiding-full-referrer-url-why