Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

referrerPolicy unsafe-url is not being respected #3767

Open
aldenquimby opened this issue Oct 24, 2024 · 6 comments
Open

referrerPolicy unsafe-url is not being respected #3767

aldenquimby opened this issue Oct 24, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@aldenquimby
Copy link

aldenquimby commented Oct 24, 2024
edited
Loading

Bug Description

referrerPolicy unsafe-url is not being respected

Reproducible By

fetch('https://example.com', {
  referrer: 'https://google.com/hello/world',
  referrerPolicy: 'unsafe-url'
});
  • request ends up with header referer: https://google.com/ (path is removed)

Expected Behavior

  • request has header referer: https://google.com/hello/world

Environment

MacOS 14.7, Node v20

Additional context

  • logic in determineRequestsReferrer looks good, which suggests something else is modifying referrer
  • why does this code exist? it appears to forcefully block cross-origin referrers, regardless of policy:

    undici/lib/web/fetch/request.js

    Lines 280 to 292 in 02c61d2

    // 3. If one of the following is true
    // - parsedReferrer’s scheme is "about" and path is the string "client"
    // - parsedReferrer’s origin is not same origin with origin
    // then set request’s referrer to "client".
    if (
    (parsedReferrer.protocol === 'about:' && parsedReferrer.hostname === 'client') ||
    (origin && !sameOrigin(parsedReferrer, environmentSettingsObject.settingsObject.baseUrl))
    ) {
    request.referrer = 'client'
    } else {
    // 4. Otherwise, set request’s referrer to parsedReferrer.
    request.referrer = parsedReferrer
    }
@aldenquimby aldenquimby added the bug Something isn't working label Oct 24, 2024
@Uzlopak
Copy link
Contributor

Uzlopak commented Oct 24, 2024

I have the feeling I worked on this like 2 weeks ago. Yes the referrerPolicy is not well tested.

@mcollina
Copy link
Member

@Uzlopak might it be this is fixed on v7.0.0-alpha.3?

@aldenquimby
Copy link
Author

@Uzlopak @mcollina I just tried with v7.0.0-alpha.3 locally, and it looks like it's working now! So I assume #3706 fixed this?
image

@Uzlopak
Copy link
Contributor

Uzlopak commented Oct 24, 2024

Did we backport it?

@aldenquimby
Copy link
Author

@Uzlopak looks like auto-backport failed: #3706 (comment)

I don't see it in https://github.com/nodejs/undici/releases/tag/v6.20.1 so I assume no one has done the manual backport yet

@KhafraDev
Copy link
Member

We should add in your test case since our tests did not catch the bug nor the fix.

@KhafraDev KhafraDev mentioned this issue Oct 25, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mcollina @aldenquimby @Uzlopak @KhafraDev and others