Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: restructure determineRequestsReferrer to match better spec #3699

Merged
merged 1 commit into from
Oct 8, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 56 additions & 26 deletions lib/web/fetch/util.js
Original file line number Diff line number Diff line change
Expand Up @@ -418,18 +418,37 @@ function determineRequestsReferrer (request) {
referrerURL = referrerOrigin
}

const areSameOrigin = sameOrigin(request, referrerURL)
const isNonPotentiallyTrustWorthy = isURLPotentiallyTrustworthy(referrerURL) &&
!isURLPotentiallyTrustworthy(request.url)
// 7. The user agent MAY alter referrerURL or referrerOrigin at this point
// to enforce arbitrary policy considerations in the interests of minimizing
// data leakage. For example, the user agent could strip the URL down to an
// origin, modify its host, replace it with an empty string, etc.

// 8. Execute the switch statements corresponding to the value of policy:
switch (policy) {
case 'origin': return referrerOrigin != null ? referrerOrigin : stripURLForReferrer(referrerSource, true)
case 'unsafe-url': return referrerURL
case 'same-origin':
return areSameOrigin ? referrerOrigin : 'no-referrer'
case 'origin-when-cross-origin':
return areSameOrigin ? referrerURL : referrerOrigin
case 'no-referrer':
// Return no referrer
return 'no-referrer'
case 'origin':
// Return referrerOrigin
if (referrerOrigin != null) {
return referrerOrigin
}
return stripURLForReferrer(referrerSource, true)
case 'unsafe-url':
// Return referrerURL.
return referrerURL
case 'strict-origin': {
const currentURL = requestCurrentURL(request)

// 1. If referrerURL is a potentially trustworthy URL and request’s
// current URL is not a potentially trustworthy URL, then return no
// referrer.
if (isURLPotentiallyTrustworthy(referrerURL) && !isURLPotentiallyTrustworthy(currentURL)) {
return 'no-referrer'
}
// 2. Return referrerOrigin
return referrerOrigin
}
case 'strict-origin-when-cross-origin': {
const currentURL = requestCurrentURL(request)

Expand All @@ -449,23 +468,34 @@ function determineRequestsReferrer (request) {
// 3. Return referrerOrigin.
return referrerOrigin
}
case 'strict-origin':
/**
* 1. If referrerURL is a potentially trustworthy URL and
* request’s current URL is not a potentially trustworthy URL,
* then return no referrer.
* 2. Return referrerOrigin
*/
case 'no-referrer-when-downgrade': // eslint-disable-line
/**
* 1. If referrerURL is a potentially trustworthy URL and
* request’s current URL is not a potentially trustworthy URL,
* then return no referrer.
* 2. Return referrerOrigin
*/

default: // eslint-disable-line
return isNonPotentiallyTrustWorthy ? 'no-referrer' : referrerOrigin
case 'same-origin':
// 1. If the origin of referrerURL and the origin of request’s current
// URL are the same, then return referrerURL.
if (sameOrigin(request, referrerURL)) {
return referrerURL
}
// 2. Return no referrer.
return 'no-referrer'
case 'origin-when-cross-origin':
// 1. If the origin of referrerURL and the origin of request’s current
// URL are the same, then return referrerURL.
if (sameOrigin(request, referrerURL)) {
return referrerURL
}
// 2. Return referrerOrigin.
return referrerOrigin
case 'no-referrer-when-downgrade': {
const currentURL = requestCurrentURL(request)

// 1. If referrerURL is a potentially trustworthy URL and request’s
// current URL is not a potentially trustworthy URL, then return no
// referrer.
if (isURLPotentiallyTrustworthy(referrerURL) && !isURLPotentiallyTrustworthy(currentURL)) {
return 'no-referrer'
}
// 2. Return referrerOrigin
return referrerOrigin
}
}
}

Expand Down
Loading