referrerPolicy unsafe-url is not being respected - Githubissues

nodejs / undici

An HTTP/1.1 client, written from scratch for Node.js

https://nodejs.github.io/undici

MIT License

6.19k stars 541 forks source link

referrerPolicy unsafe-url is not being respected #3767

Open aldenquimby opened 2 hours ago

aldenquimby commented 2 hours ago

Bug Description

referrerPolicy unsafe-url is not being respected

Reproducible By

fetch('https://example.com', {
  referrer: 'https://google.com/hello/world',
  referrerPolicy: 'unsafe-url'
});

request ends up with header referer: https://google.com/ (path is removed)

Expected Behavior

request has header referer: https://google.com/hello/world

Environment

MacOS 14.7, Node v20

Additional context

logic in determineRequestsReferrer looks good, which suggests something else is modifying referrer
why does this code exist? it appears to forcefully block cross-origin referrers, regardless of policy: https://github.com/nodejs/undici/blob/02c61d2612953ab810457340762579aef7f78b0f/lib/web/fetch/request.js#L280-L292

Uzlopak commented 2 hours ago

I have the feeling I worked on this like 2 weeks ago. Yes the referrerPolicy is not well tested.

mcollina commented 2 hours ago

@Uzlopak might it be this is fixed on v7.0.0-alpha.3?

aldenquimby commented 1 hour ago

@Uzlopak @mcollina I just tried with v7.0.0-alpha.3 locally, and it looks like it's working now! So I assume #3706 fixed this?

Uzlopak commented 1 hour ago

Did we backport it?

aldenquimby commented 1 hour ago

@Uzlopak looks like auto-backport failed: https://github.com/nodejs/undici/pull/3706#issuecomment-2404907827

I don't see it in https://github.com/nodejs/undici/releases/tag/v6.20.1 so I assume no one has done the manual backport yet

KhafraDev commented 38 minutes ago

We should add in your test case since our tests did not catch the bug nor the fix.