SPFx assets fail to load in Safari on iOS when parent site uses Referrer-Policy: no-referrer

[FredrikEkstroem]

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

Windows

What browser(s) / client(s) have you tested

• 💥 Internet Explorer
• 💥 Microsoft Edge
• 💥 Google Chrome
• 💥 FireFox
• 💥 Safari
• mobile (iOS/iPadOS)
• mobile (Android)
• not applicable
• other (enter in the "Additional environment details" area below)

Additional environment details

Environment

• Device: iPhone (multiple tested)
• OS: iOS 26
• Browser: Safari (mobile)
• SPFx version: Observed across multiple versions (likely version-independent)
• Hosting model: Standard SharePoint Online with default public CDN

Describe the bug / error

Summary

When accessing a SharePoint Online site (System B) containing an SPFx web part from a different system (System A) that sets Referrer-Policy: no-referrer, Safari on iOS (observed on iOS 26) appears to inherit the no-referrer policy into the newly opened tab.

As a result, requests to the default SPFx asset CDN:

https://public-cdn.sharepointonline.com/<tenant>.sharepoint.com

are sent without a Referer header, causing the CDN to redirect to:

https://localhost/AccessOutsideSharePointIsNotAllowed

This results in the SPFx web part failing to load.

This behavior appears specific to Safari on iOS and does not reproduce in other tested browsers (some users has reported it on Safari on Mac, but not consistently reproduceable. Other browsers unaffected.)

---

Scenario Description

System A

• Returns HTTP header:

  Referrer-Policy: no-referrer
  

• Contains a link to a SharePoint Online site (System B)
• The link opens in a new tab/window

System B

• SharePoint Online site
• Contains an SPFx web part
• SPFx assets are loaded from:

  https://public-cdn.sharepointonline.com/<tenant>.sharepoint.com
  

---

Request Flow (Simplified)

sequenceDiagram
    participant User
    participant Safari_iOS
    participant System_A
    participant System_B as System B (SPO Site)
    participant SPO_Public_CDN as SPO Public CDN

    User->>System_A: Access site (Referrer-Policy: no-referrer)
    User->>Safari_iOS: Click link (opens new tab)
    Safari_iOS->>System_B: Navigate to SharePoint page
    System_B->>SPO_Public_CDN: Load SPFx JS bundle
    Note right of SPO_Public_CDN: Request has NO Referer header
    SPO_Public_CDN-->>Safari_iOS: Redirect to /AccessOutsideSharePointIsNotAllowed
    Safari_iOS-->>User: SPFx webpart fails to load

Loading

---

Technical Analysis

The default SharePoint Online public CDN appears to enforce referer validation and expects requests to originate from a SharePoint Online context.

When the Referer header is missing:

• The CDN assumes access is happening outside SharePoint
• The request is redirected to:

  https://localhost/AccessOutsideSharePointIsNotAllowed
  

Safari on iOS appears to propagate or inherit the no-referrer policy from the originating page (System A) to the newly opened tab. This results in:

• All subsequent resource requests (including CDN scripts) being sent without a Referer header
• Triggering CDN access protection

This inheritance behavior does not appear to occur in:

• Chrome (desktop/mobile)
• Edge
• (Desktop Safari?)

It looks like the issue has 2 parts.

• public-cdn.sharepointonline.com is using Referer as some kind of security function and it looks that is not very stable. However it only checks if the header exist, the value can be anything you'd like.
• iOS has a bug (or feature?) that uses Referrer Policy from one site on everything, even if you navigate somewhere else in another tab and keep that cached until you clear bowser cache. This is not something can be fixed by MS, but it might need to be taken into consideration since it might affect a lot of users.

---

Steps to reproduce

1. Configure System A to return:

   Referrer-Policy: no-referrer
   

<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <title>Page</title>
</head>
<body>
    <a target="_blank" class="text-decoration-none body" href="https://tenant.sharepoint.com/sites/site/sitepates/page.aspx" > testlink</a>
</body>
</html>

const express = require('express');
const path = require('path');

const app = express();

app.use((req, res, next) => {
  res.setHeader('Referrer-Policy', 'no-referrer');
  next();
});

app.use(express.static(path.join(__dirname, 'dist')));
app.get('*', (_, res) =>
  res.sendFile(path.join(__dirname, 'dist/index.html'))
);ß

app.listen(4200, () => {
  console.log('Server is running on http://localhost:4200');
});

2. Add a link in System A to a SharePoint Online site (System B).
3. Ensure the link opens in a new tab/window.
4. Add an SPFx web part to the landing page in System B.
5. Open System A in Safari on iOS.
6. Click the link to System B.
7. Observe:
   • SPFx assets fail to load
   • Network request to public-cdn.sharepointonline.com contains no Referer header
   • Redirect to /AccessOutsideSharePointIsNotAllowed

---

Expected Behavior

Opening System B in a new tab should result in:

• Normal loading of SPFx assets
• Referer header correctly set for CDN requests or resource not blocked when missing
• No redirect to AccessOutsideSharePointIsNotAllowed
• SPFx web part renders correctly

---

Actual Behavior (Safari iOS Only)

• The no-referrer policy appears to be inherited into the new tab.

• Requests to public-cdn.sharepointonline.com are made without a Referer header.

• The CDN redirects to:

  https://localhost/AccessOutsideSharePointIsNotAllowed
  

• SPFx web part fails to load.

---

[Ashlesha-MSFT]

Hello @FredrikEkstroem,
Thank you for bringing this issue to our attention. We will look into it and get back to you shortly.
If you don’t receive a reply within two working days, please use this escalation form to escalate.

[Ashlesha-MSFT]

@FredrikEkstroem,
We attempted to reproduce this issue using the setup described:

System A: Express server returning Referrer-Policy: no-referrer header
Link to a SharePoint Online site (System B) with an SPFx web part
Tested on Safari on iOS (iPhone)

However, we were unable to reproduce the described behavior.
You noted the issue persists "until you clear browser cache." Was the issue observed:

• On a fresh Safari session?
• After multiple navigations from System A?
  We appreciate any additional details you can provide to help isolate the exact conditions needed to reproduce.

[FredrikEkstroem]

I can still consistently reproduce it with the code above. I'm on an iPhone 16e with iOS 26.3. The same was also observed by other iPhone models with that iOS version. Safari/Edge/Chrome browsers on iOS all have the same issue.

After the issue appeared, even if I close Safari fully and then go directly to SharePoint (without going to System A first) the issue is still there. I need to go into Safari settings/Clear History and Website Data to make it work. After clearing browser cache (and in private mode) the issue comes back when going to System A first.

If starting with a new session (clear browser data), 1. Go to SharePoint 2. Go to system A, click the link, then the issue is not there. In that case you have to clear browser data to reproduce the issue.

Is your spfx webpart loading resources from public-cdn.sharepointonline.com? Do you get redirected to https://localhost/AccessOutsideSharePointIsNotAllowed when accessing the resource without the Referer header?

[Ashlesha-MSFT]

@FredrikEkstroem,
Based on the current investigation, this behavior appears to be expected from the SharePoint Online public CDN, which requires the presence of a Referer header to allow SPFx asset loading. When Safari on iOS suppresses the Referer header due to a previously applied Referrer-Policy: no-referrer, the CDN blocks the request and redirects to /AccessOutsideSharePointIsNotAllowed. This indicates the issue is likely caused by browser-level behavior rather than SPFx itself. As this seems to be outside the direct scope of the sp-dev-docs engineering team, it may not be something we can directly fix. However, we will reach out to the engineering team to confirm whether any mitigation or platform-level change is possible.

[FredrikEkstroem]

Thanks, I agree that it is a Safari bug that is causing the Referer header to be removed, but from the SPFx side that cdn probably shouldn't use Referer as a "security" feature since it's quite unreliable. Also I'm not sure it's configured correctly since it doesn't really look at the value of the Referer header, you can load it from any domain or write any word or even leave it as an empty string, it only checks that the Referer exist.

[Ashlesha-MSFT]

@FredrikEkstroem,
Thank you again for the detailed findings and continued validation.
We’ve already engaged the engineering team internally and will be logging a bug in ADO to formally track this scenario.