feat: extend to double-check if a valid referrer policy

nodejs · Oct 21, 2022 · 5954f4d · 5954f4d
1 parent 98fc1be
commit 5954f4d
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 6 deletions.
diff --git a/lib/fetch/util.js b/lib/fetch/util.js
@@ -26,6 +26,18 @@ const badPorts = [
   '10080'
 ]
 
+// https://w3c.github.io/webappsec-referrer-policy/#referrer-policies
+const referrerPolicyTokens = [
+  'no-referrer',
+  'no-referrer-when-downgrade',
+  'same-origin',
+  'origin',
+  'strict-origin',
+  'origin-when-cross-origin',
+  'strict-origin-when-cross-origin',
+  'unsafe-url'
+]
+
 function responseURL (response) {
   // https://fetch.spec.whatwg.org/#responses
   // A response has an associated URL. It is a pointer to the last URL
@@ -207,11 +219,17 @@ function setRequestReferrerPolicyOnRedirect (request, actualResponse) {
   // 2. Let policy be the empty string.
   // 3. For each token in policy-tokens, if token is a referrer policy and token is not the empty string, then set policy to token.
   // 4. Return policy.
-  const policy = headersList.get('referrer-policy') ?? ''
+  const token = headersList.get('referrer-policy') ?? ''
 
   // 2. If policy is not the empty string, then set request’s referrer policy to policy.
-  if (policy !== '') {
-    request.referrerPolicy = policy
+  if (token !== '') {
+    for (const policyToken of referrerPolicyTokens) {
+      // if token is a referrer policy and token is not an empty string, then set policy to token.
+      if (token === policyToken) {
+        request.referrerPolicy = token
+        break
+      }
+    }
   }
 }
 

diff --git a/test/fetch/util.js b/test/fetch/util.js
@@ -135,7 +135,7 @@ test('isURLPotentiallyTrustworthy', (t) => {
 })
 
 test('setRequestReferrerPolicyOnRedirect', nested => {
-  nested.plan(2)
+  nested.plan(3)
 
   nested.test('should set referrer policy from response headers on redirect', t => {
     const request = {
@@ -146,13 +146,14 @@ test('setRequestReferrerPolicyOnRedirect', nested => {
       headersList: new HeadersList()
     }
 
+    t.plan(1)
+
     actualResponse.headersList.append('Connection', 'close')
     actualResponse.headersList.append('Location', 'https://some-location.com/redirect')
     actualResponse.headersList.append('Referrer-Policy', 'origin')
     util.setRequestReferrerPolicyOnRedirect(request, actualResponse)
 
     t.equal(request.referrerPolicy, 'origin')
-    t.end()
   })
 
   nested.test('should set not change request referrer policy if no Referrer-Policy from initial redirect response', t => {
@@ -164,12 +165,32 @@ test('setRequestReferrerPolicyOnRedirect', nested => {
       headersList: new HeadersList()
     }
 
+    t.plan(1)
+
     actualResponse.headersList.append('Connection', 'close')
     actualResponse.headersList.append('Location', 'https://some-location.com/redirect')
     util.setRequestReferrerPolicyOnRedirect(request, actualResponse)
 
     t.equal(request.referrerPolicy, 'no-referrer, strict-origin-when-cross-origin')
-    t.end()
+  })
+
+  nested.test('should set not change request referrer policy if the policy is a non-valid Referrer Policy', t => {
+    const initial = 'no-referrer, strict-origin-when-cross-origin'
+    const request = {
+      referrerPolicy: initial
+    }
+    const actualResponse = {
+      headersList: new HeadersList()
+    }
+
+    t.plan(1)
+
+    actualResponse.headersList.append('Connection', 'close')
+    actualResponse.headersList.append('Location', 'https://some-location.com/redirect')
+    actualResponse.headersList.append('Referrer-Policy', 'asdasd')
+    util.setRequestReferrerPolicyOnRedirect(request, actualResponse)
+
+    t.equal(request.referrerPolicy, initial)
   })
 })