Bug Description
referrerPolicy unsafe-url is not being respected
Reproducible By
fetch('https://example.com', {
referrer: 'https://google.com/hello/world',
referrerPolicy: 'unsafe-url'
});
- request ends up with header
referer: https://google.com/ (path is removed)
Expected Behavior
- request has header
referer: https://google.com/hello/world
Environment
MacOS 14.7, Node v20
Additional context
- logic in
determineRequestsReferrer looks good, which suggests something else is modifying referrer
- why does this code exist? it appears to forcefully block cross-origin referrers, regardless of policy:
|
// 3. If one of the following is true |
|
// - parsedReferrer’s scheme is "about" and path is the string "client" |
|
// - parsedReferrer’s origin is not same origin with origin |
|
// then set request’s referrer to "client". |
|
if ( |
|
(parsedReferrer.protocol === 'about:' && parsedReferrer.hostname === 'client') || |
|
(origin && !sameOrigin(parsedReferrer, environmentSettingsObject.settingsObject.baseUrl)) |
|
) { |
|
request.referrer = 'client' |
|
} else { |
|
// 4. Otherwise, set request’s referrer to parsedReferrer. |
|
request.referrer = parsedReferrer |
|
} |
Bug Description
referrerPolicy unsafe-url is not being respected
Reproducible By
referer: https://google.com/(path is removed)Expected Behavior
referer: https://google.com/hello/worldEnvironment
MacOS 14.7, Node v20
Additional context
determineRequestsReferrerlooks good, which suggests something else is modifyingreferrerundici/lib/web/fetch/request.js
Lines 280 to 292 in 02c61d2