Why do URL parameters mysteriously disappear in Safari privacy mode?

Preface
Recently, I was investigating the problem of missing page parameters in Safari's privacy mode. If you open page B directly through Safari, you can get the parameters on the page link normally on page B. However, if Safari opens page A first, and then jumps to page B through page A (pages A and B are deployed on different domains), page B cannot get the parameters on the link through JS.

Problem demonstration
The link format of page B is as follows: xx.qq.com?au=xx...

Get the page link and page parameters through the following code

If you open page B alone in private mode

You can see that you can get the complete link of the page (including parameters) normally. It is in line with expectations

But if you open page A first, and then jump from page A to page B (A and B have different domains), let's take a look at the results:

As can be seen from the above picture, location.search is no longer available, and the value obtained by location.href no longer includes location.search.

So what does Safari do in private mode?

Safari Private Browsing

After checking the information, we learned that in Safari 17, private browsing features are more private and have added defenses to resist some of the most advanced tracking technologies. Technical improvements include:

Link tracking protection
Block network loads of known trackers, including known trackers hidden by CNAME
Advanced fingerprint protection
Extensions with website or history access permissions are turned off by default

Link Tracking Protection

The document says this:

Translated: On the target site after a cross-site navigation, any third-party scripts that attempt to read the full URL or parameters (such as using location.search, location.href, or document.URL) will get a version of the URL without query parameters or fragments.

That is to say, the link parameter loss in Safari privacy mode must meet the following two conditions:

The page has a cross-domain jump

The link or parameter is obtained in a third-party script (in fact, the JS and HTML template are not in the same domain)


Solution
Same-domain redirect
Since cross-domain redirect does not occur, can we obtain the page link parameters normally by redirecting to the same domain name?



If the first solution does not meet the business scenario, you can try to deploy the HTML template file and JS file in the same domain, which can also circumvent the restrictions of Safari privacy mode.



Embedded scripts
If your business requires cross-domain redirection but you don't want to change the deployment plan, then the inline script solution is more suitable for you. We can insert a JS script in the HTML template file to obtain the page link and parameters. In this way, this JS is no longer a third-party script.

For example:

Then directly read selfLink and selfSearch on the window where it is used

You can see that selfLink and selfSearch attached to the window can be obtained normally by reading the embedded script, while directly reading window.location.href will lose the search parameter.