Fix about:blank document.referrer initialization

https://bugs.webkit.org/show_bug.cgi?id=242965

Reviewed by Darin Adler.

This change makes WebKit conform to the requirement in the HTML spec at
https://html.spec.whatwg.org/#creating-a-new-browsing-context that a
new browsing context is created with its referrer set to "the
serialization of [its] creator's URL" — that is, the creator’s full URL,
without regard to Referrer Policy — which makes the WebKit behavior in
this case interoperable with existing behavior in Blink.

Otherwise, without this change, the referrer is set to an “origin string”
(origin + trailing slash) — which breaks conformance with the spec, and
breaks interop/compat with Blink.

* LayoutTests/http/wpt/html/browsers/windows/browsing-context.html:
* LayoutTests/imported/w3c/web-platform-tests/html/browsers/windows/browsing-context-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/browsers/windows/browsing-context-expected.txt: Removed.
* Source/WebCore/loader/SubframeLoader.cpp:
(WebCore::FrameLoader::SubframeLoader::loadSubframe):

Canonical link: https://commits.webkit.org/273830@main

LayoutTests/http/wpt/html/browsers/windows/browsing-context.html

@@ -43,7 +43,7 @@
     }, "Check that new document nodes extant, empty");
 
     test(function () {
-      assert_equals(doc.referrer, document.location.origin + '/', "The document's referrer should be its creator document's origin.");
+      assert_equals(doc.referrer, document.URL, "The document's referrer should be its creator document's URL.");
       assert_equals(iframe.contentWindow.parent.document, document);
     }, "Check the document properties corresponding to the creator browsing context");
     </script>

LayoutTests/imported/w3c/web-platform-tests/html/browsers/windows/browsing-context-expected.txt

@@ -1,5 +1,5 @@
 
 PASS Check that browsing context has new, ready HTML document
 PASS Check that new document nodes extant, empty
-FAIL Check the document properties corresponding to the creator browsing context assert_equals: The document's referrer should be its creator document's URL. expected "http://localhost:8800/html/browsers/windows/browsing-context.html" but got "http://localhost:8800/"
+PASS Check the document properties corresponding to the creator browsing context
 

Source/WebCore/loader/SubframeLoader.cpp

@@ -313,7 +313,17 @@ RefPtr<LocalFrame> FrameLoader::SubframeLoader::loadSubframe(HTMLFrameOwnerEleme
     ReferrerPolicy policy = ownerElement.referrerPolicy();
     if (policy == ReferrerPolicy::EmptyString)
         policy = document->referrerPolicy();
-    String referrerToUse = SecurityPolicy::generateReferrerHeader(policy, url, referrer, OriginAccessPatternsForWebProcess::singleton());
+    // For any new (about:blank) browsing context, step 16 of
+    // https://html.spec.whatwg.org/#creating-a-new-browsing-context requires
+    // setting the referrer to "the serialization of creator's URL" — that is,
+    // the full URL, without regard to Referrer Policy.
+    // And rather than doing this in SecurityPolicy::generateReferrerHeader,
+    // we do it here because per-spec, this should only happen when creating
+    // a new browsing context — and per step 13 of the spec algorithm at
+    // https://html.spec.whatwg.org/#initialise-the-document-object, should
+    // not happen when creating and initializing a new Document object (in
+    // which case, Referrer Policy is applied).
+    auto referrerToUse = url.isAboutBlank() ? referrer : SecurityPolicy::generateReferrerHeader(policy, url, referrer, OriginAccessPatternsForWebProcess::singleton());
 
     frame->checkedLoader()->loadURLIntoChildFrame(url, referrerToUse, subFrame.get());