Skip to content

Commit

Permalink
fix: restructure determineRequestsReferrer to match better spec (#3699)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Uzlopak
Uzlopak authored Oct 8, 2024
1 parent ba91ec7 commit 40fb24d
Showing 1 changed file with 56 additions and 26 deletions.
82 changes: 56 additions & 26 deletions lib/web/fetch/util.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -418,18 +418,37 @@ function determineRequestsReferrer (request) {
referrerURL = referrerOrigin
}

const areSameOrigin = sameOrigin(request, referrerURL)
const isNonPotentiallyTrustWorthy = isURLPotentiallyTrustworthy(referrerURL) &&
!isURLPotentiallyTrustworthy(request.url)
// 7. The user agent MAY alter referrerURL or referrerOrigin at this point
// to enforce arbitrary policy considerations in the interests of minimizing
// data leakage. For example, the user agent could strip the URL down to an
// origin, modify its host, replace it with an empty string, etc.

// 8. Execute the switch statements corresponding to the value of policy:
switch (policy) {
case 'origin': return referrerOrigin != null ? referrerOrigin : stripURLForReferrer(referrerSource, true)
case 'unsafe-url': return referrerURL
case 'same-origin':
return areSameOrigin ? referrerOrigin : 'no-referrer'
case 'origin-when-cross-origin':
return areSameOrigin ? referrerURL : referrerOrigin
case 'no-referrer':
// Return no referrer
return 'no-referrer'
case 'origin':
// Return referrerOrigin
if (referrerOrigin != null) {
return referrerOrigin
}
return stripURLForReferrer(referrerSource, true)
case 'unsafe-url':
// Return referrerURL.
return referrerURL
case 'strict-origin': {
const currentURL = requestCurrentURL(request)

// 1. If referrerURL is a potentially trustworthy URL and request’s
// current URL is not a potentially trustworthy URL, then return no
// referrer.
if (isURLPotentiallyTrustworthy(referrerURL) && !isURLPotentiallyTrustworthy(currentURL)) {
return 'no-referrer'
}
// 2. Return referrerOrigin
return referrerOrigin
}
case 'strict-origin-when-cross-origin': {
const currentURL = requestCurrentURL(request)

Expand All @@ -449,23 +468,34 @@ function determineRequestsReferrer (request) {
// 3. Return referrerOrigin.
return referrerOrigin
}
case 'strict-origin':
/**
* 1. If referrerURL is a potentially trustworthy URL and
* request’s current URL is not a potentially trustworthy URL,
* then return no referrer.
* 2. Return referrerOrigin
*/
case 'no-referrer-when-downgrade': // eslint-disable-line
/**
* 1. If referrerURL is a potentially trustworthy URL and
* request’s current URL is not a potentially trustworthy URL,
* then return no referrer.
* 2. Return referrerOrigin
*/

default: // eslint-disable-line
return isNonPotentiallyTrustWorthy ? 'no-referrer' : referrerOrigin
case 'same-origin':
// 1. If the origin of referrerURL and the origin of request’s current
// URL are the same, then return referrerURL.
if (sameOrigin(request, referrerURL)) {
return referrerURL
}
// 2. Return no referrer.
return 'no-referrer'
case 'origin-when-cross-origin':
// 1. If the origin of referrerURL and the origin of request’s current
// URL are the same, then return referrerURL.
if (sameOrigin(request, referrerURL)) {
return referrerURL
}
// 2. Return referrerOrigin.
return referrerOrigin
case 'no-referrer-when-downgrade': {
const currentURL = requestCurrentURL(request)

// 1. If referrerURL is a potentially trustworthy URL and request’s
// current URL is not a potentially trustworthy URL, then return no
// referrer.
if (isURLPotentiallyTrustworthy(referrerURL) && !isURLPotentiallyTrustworthy(currentURL)) {
return 'no-referrer'
}
// 2. Return referrerOrigin
return referrerOrigin
}
}
}

Expand Down

0 comments on commit 40fb24d

Please sign in to comment.