From aa4100a6b0593e755c26a596c7b56ac6dca0bc5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Khang=2E=20V=C3=B5=20V=C4=A9?= <khangvv@vng.com.vn>
Date: Tue, 5 Jul 2022 11:19:05 +0700
Subject: [PATCH 1/2] fix ReDoS referrer

---
 src/utils/referrer.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/utils/referrer.js b/src/utils/referrer.js
index c8c668671..32a013e69 100644
--- a/src/utils/referrer.js
+++ b/src/utils/referrer.js
@@ -119,7 +119,7 @@ export function isOriginPotentiallyTrustworthy(url) {
 	// 5. If origin's host component is "localhost" or falls within ".localhost", and the user agent conforms to the name resolution rules in [let-localhost-be-localhost], return "Potentially Trustworthy".
 	// We are returning FALSE here because we cannot ensure conformance to
 	// let-localhost-be-loalhost (https://tools.ietf.org/html/draft-west-let-localhost-be-localhost)
-	if (/^(.+\.)*localhost$/.test(url.host)) {
+	if (/^(.+)\.localhost$/.test(url.host)) {
 		return false;
 	}
 

From 1bbabcb417c3a2de775245c779f49dc9714f88fe Mon Sep 17 00:00:00 2001
From: "Khang Vo (doublevkay)" <45411113+vovikhangcdv@users.noreply.github.com>
Date: Thu, 28 Jul 2022 04:49:20 +0700
Subject: [PATCH 2/2] Update src/utils/referrer.js
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Eliminate regex and use string matcher

Co-authored-by: Linus Unnebäck <linus@folkdatorn.se>
---
 src/utils/referrer.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/utils/referrer.js b/src/utils/referrer.js
index 32a013e69..6741f2fcc 100644
--- a/src/utils/referrer.js
+++ b/src/utils/referrer.js
@@ -119,7 +119,7 @@ export function isOriginPotentiallyTrustworthy(url) {
 	// 5. If origin's host component is "localhost" or falls within ".localhost", and the user agent conforms to the name resolution rules in [let-localhost-be-localhost], return "Potentially Trustworthy".
 	// We are returning FALSE here because we cannot ensure conformance to
 	// let-localhost-be-loalhost (https://tools.ietf.org/html/draft-west-let-localhost-be-localhost)
-	if (/^(.+)\.localhost$/.test(url.host)) {
+	if (url.host === 'localhost' || url.host.endsWith('.localhost')) {
 		return false;
 	}