From 5c63d3b771416a4e04834cea9a9de517215f6b4f Mon Sep 17 00:00:00 2001 From: Yarchik Date: Thu, 2 Jul 2026 10:41:58 +0100 Subject: [PATCH] fix: same-origin/origin-when-cross-origin referrer compares wrong origins determineRequestsReferrer passed the internal request object (which has no protocol/hostname/port) to sameOrigin() for the same-origin and origin-when-cross-origin policies, so the same-origin check always failed. Per the Referrer Policy spec both policies must compare the origin of referrerURL with the origin of request's current URL. Compare referrerURL against requestCurrentURL(request) instead, matching the strict-origin-when-cross-origin branch. --- lib/web/fetch/util.js | 4 ++-- test/fetch/util.js | 47 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/lib/web/fetch/util.js b/lib/web/fetch/util.js index b77be74f5d4..d79a0b601d4 100644 --- a/lib/web/fetch/util.js +++ b/lib/web/fetch/util.js @@ -481,7 +481,7 @@ function determineRequestsReferrer (request) { case 'same-origin': // 1. If the origin of referrerURL and the origin of request’s current // URL are the same, then return referrerURL. - if (sameOrigin(request, referrerURL)) { + if (sameOrigin(referrerURL, requestCurrentURL(request))) { return referrerURL } // 2. Return no referrer. @@ -489,7 +489,7 @@ function determineRequestsReferrer (request) { case 'origin-when-cross-origin': // 1. If the origin of referrerURL and the origin of request’s current // URL are the same, then return referrerURL. - if (sameOrigin(request, referrerURL)) { + if (sameOrigin(referrerURL, requestCurrentURL(request))) { return referrerURL } // 2. Return referrerOrigin. diff --git a/test/fetch/util.js b/test/fetch/util.js index f5f23cb305b..3cb48672c75 100644 --- a/test/fetch/util.js +++ b/test/fetch/util.js @@ -310,3 +310,50 @@ describe('isOriginIPPotentiallyTrustworthy()', () => { }) }) }) + +describe('determineRequestsReferrer', () => { + const referrer = new URL('https://example.com/page?secret=1#frag') + const sameOriginURL = new URL('https://example.com/target') + const crossOriginURL = new URL('https://other.example/target') + + function makeRequest (referrerPolicy, currentURL) { + return { + referrerPolicy, + referrer, + urlList: [currentURL], + origin: currentURL.origin + } + } + + test('same-origin returns the referrer URL for a same-origin request', (t) => { + t.plan(1) + + const result = util.determineRequestsReferrer(makeRequest('same-origin', sameOriginURL)) + + t.assert.strictEqual(result.toString(), 'https://example.com/page?secret=1') + }) + + test('same-origin returns no referrer for a cross-origin request', (t) => { + t.plan(1) + + const result = util.determineRequestsReferrer(makeRequest('same-origin', crossOriginURL)) + + t.assert.strictEqual(result, 'no-referrer') + }) + + test('origin-when-cross-origin returns the referrer URL for a same-origin request', (t) => { + t.plan(1) + + const result = util.determineRequestsReferrer(makeRequest('origin-when-cross-origin', sameOriginURL)) + + t.assert.strictEqual(result.toString(), 'https://example.com/page?secret=1') + }) + + test('origin-when-cross-origin returns the referrer origin for a cross-origin request', (t) => { + t.plan(1) + + const result = util.determineRequestsReferrer(makeRequest('origin-when-cross-origin', crossOriginURL)) + + t.assert.strictEqual(result.toString(), 'https://example.com/') + }) +})