fix: same-origin/origin-when-cross-origin referrer compares wrong origins#5487
Open
spokodev wants to merge 1 commit into
Open
fix: same-origin/origin-when-cross-origin referrer compares wrong origins#5487spokodev wants to merge 1 commit into
spokodev wants to merge 1 commit into
Conversation
…gins determineRequestsReferrer passed the internal request object (which has no protocol/hostname/port) to sameOrigin() for the same-origin and origin-when-cross-origin policies, so the same-origin check always failed. Per the Referrer Policy spec both policies must compare the origin of referrerURL with the origin of request's current URL. Compare referrerURL against requestCurrentURL(request) instead, matching the strict-origin-when-cross-origin branch.
KhafraDev
requested changes
Jul 2, 2026
KhafraDev
left a comment
Member
There was a problem hiding this comment.
Remove the tests, run the fetch WPTs, commit the updated expectations file. The WPTs cover these tests extensively.
Contributor
Author
|
I ran the fetch WPTs. The referrer-policy tests ( |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
determineRequestsReferrercompares the wrong pair of origins for thesame-originandorigin-when-cross-originreferrer policies, so a same-origin request is treated as cross-origin.Both branches call
sameOrigin(request, referrerURL).requestis the internal request record (it exposesurl/urlList/origin), not a URL object, so it has none of theprotocol/hostname/portfieldssameOrigin()reads. The comparison therefore always returns false and the same-origin path is never taken.Effect on a same-origin
fetch():same-originsends noRefererat all (should send the full referrer URL).origin-when-cross-originsends only the origin (should send the full referrer URL).This diverges from the Fetch standard and from browser behavior, and breaks referrer-based checks and analytics on the server.
Fix
Compare
referrerURLagainst the request's current URL, matching the neighboringstrict-origin-when-cross-originbranch (which is already correct and whose in-code comment describes exactly this same-origin check):(applied to both the
same-originandorigin-when-cross-originbranches; no new imports.)Test
Added a
determineRequestsReferrergroup totest/fetch/util.js. On current HEAD the same-origin cases fail (no-referrer/ origin-only) and the cross-origin cases pass as controls; with the fix all four pass.test/fetch/referrrer-policy.jsstays green.