Skip to content

fix: same-origin/origin-when-cross-origin referrer compares wrong origins#5487

Open
spokodev wants to merge 1 commit into
nodejs:mainfrom
spokodev:w32/undici-referrer-same-origin
Open

fix: same-origin/origin-when-cross-origin referrer compares wrong origins#5487
spokodev wants to merge 1 commit into
nodejs:mainfrom
spokodev:w32/undici-referrer-same-origin

Conversation

@spokodev

@spokodev spokodev commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Description

determineRequestsReferrer compares the wrong pair of origins for the same-origin and origin-when-cross-origin referrer policies, so a same-origin request is treated as cross-origin.

Both branches call sameOrigin(request, referrerURL). request is the internal request record (it exposes url/urlList/origin), not a URL object, so it has none of the protocol/hostname/port fields sameOrigin() reads. The comparison therefore always returns false and the same-origin path is never taken.

Effect on a same-origin fetch():

  • same-origin sends no Referer at all (should send the full referrer URL).
  • origin-when-cross-origin sends only the origin (should send the full referrer URL).

This diverges from the Fetch standard and from browser behavior, and breaks referrer-based checks and analytics on the server.

Fix

Compare referrerURL against the request's current URL, matching the neighboring strict-origin-when-cross-origin branch (which is already correct and whose in-code comment describes exactly this same-origin check):

-      if (sameOrigin(request, referrerURL)) {
+      if (sameOrigin(referrerURL, requestCurrentURL(request))) {

(applied to both the same-origin and origin-when-cross-origin branches; no new imports.)

Test

Added a determineRequestsReferrer group to test/fetch/util.js. On current HEAD the same-origin cases fail (no-referrer / origin-only) and the cross-origin cases pass as controls; with the fix all four pass. test/fetch/referrrer-policy.js stays green.

…gins

determineRequestsReferrer passed the internal request object (which has
no protocol/hostname/port) to sameOrigin() for the same-origin and
origin-when-cross-origin policies, so the same-origin check always failed.

Per the Referrer Policy spec both policies must compare the origin of
referrerURL with the origin of request's current URL. Compare
referrerURL against requestCurrentURL(request) instead, matching the
strict-origin-when-cross-origin branch.

@KhafraDev KhafraDev left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove the tests, run the fetch WPTs, commit the updated expectations file. The WPTs cover these tests extensively.

@spokodev

spokodev commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

I ran the fetch WPTs. The referrer-policy tests (referrer-origin-when-cross-origin.html, referrer-origin.html, etc.) do not execute in the Node runner: they error with importScripts is not defined / Worker is not defined and are already recorded as {success: false, cases: []} in expectation.json, so this fix produces no expectation change. Because those tests do not run in the harness, the unit test in test/fetch/util.js is the only thing that exercises the fix (it fails on main and passes with the change). Would you prefer I keep it, or drop it and rely on the browser WPT runs?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants