Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

referrerPolicy unsafe-url is not being respected #3767

Open
aldenquimby opened this issue Oct 24, 2024 · 6 comments
Open

referrerPolicy unsafe-url is not being respected #3767

aldenquimby opened this issue Oct 24, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@aldenquimby
Copy link

aldenquimby commented Oct 24, 2024
edited
Loading

Bug Description

referrerPolicy unsafe-url is not being respected

Reproducible By

fetch('https://example.com', {
  referrer: 'https://google.com/hello/world',
  referrerPolicy: 'unsafe-url'
});
  • request ends up with header referer: https://google.com/ (path is removed)

Expected Behavior

  • request has header referer: https://google.com/hello/world

Environment

MacOS 14.7, Node v20

Additional context

  • logic in determineRequestsReferrer looks good, which suggests something else is modifying referrer
  • why does this code exist? it appears to forcefully block cross-origin referrers, regardless of policy:

    undici/lib/web/fetch/request.js

    Lines 280 to 292 in 02c61d2

    // 3. If one of the following is true
    // - parsedReferrer’s scheme is "about" and path is the string "client"
    // - parsedReferrer’s origin is not same origin with origin
    // then set request’s referrer to "client".
    if (
    (parsedReferrer.protocol === 'about:' && parsedReferrer.hostname === 'client') ||
    (origin && !sameOrigin(parsedReferrer, environmentSettingsObject.settingsObject.baseUrl))
    ) {
    request.referrer = 'client'
    } else {
    // 4. Otherwise, set request’s referrer to parsedReferrer.
    request.referrer = parsedReferrer
    }
@aldenquimby aldenquimby added the bug Something isn't working label Oct 24, 2024
@Uzlopak
Copy link
Contributor

Uzlopak commented Oct 24, 2024

I have the feeling I worked on this like 2 weeks ago. Yes the referrerPolicy is not well tested.

@mcollina
Copy link
Member

@Uzlopak might it be this is fixed on v7.0.0-alpha.3?

@aldenquimby
Copy link
Author

@Uzlopak @mcollina I just tried with v7.0.0-alpha.3 locally, and it looks like it's working now! So I assume #3706 fixed this?
image

@Uzlopak
Copy link
Contributor

Uzlopak commented Oct 24, 2024

Did we backport it?

@aldenquimby
Copy link
Author

@Uzlopak looks like auto-backport failed: #3706 (comment)

I don't see it in https://github.com/nodejs/undici/releases/tag/v6.20.1 so I assume no one has done the manual backport yet

@KhafraDev
Copy link
Member

We should add in your test case since our tests did not catch the bug nor the fix.

@KhafraDev KhafraDev mentioned this issue Oct 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mcollina @aldenquimby @Uzlopak @KhafraDev and others