fix(http): preserve empty referrer option in HttpRequest#69171
fix(http): preserve empty referrer option in HttpRequest#69171SkyZeroZx wants to merge 1 commit into
Conversation
Preserve `referrer: ''` when constructing and cloning HttpRequest. An empty string is a valid Fetch referrer value and is documented by Angular as the way to omit referrer information for sensitive requests. The previous truthy checks treated it as if the option was not provided, causing requests to fall back to the browser default referrer behavior.
7d26173 to
1e54b8f
Compare
|
I'm wondering if this would need backporting or not, considering that since it was added in Angular 20, it has always been omitted. |
Bug fixes are not backported. |
|
I see that you just added the If you want your PR to be merged, it has to pass all the CI checks. If you can't get the PR to a green state due to flakes or broken |
That's the question, I'm not sure if it's a bug fix or a security issue, since if a user has been using referrer with '' and has sent any sensitive URL containing a token or OAuth2, it hasn't been fulfilled. |
|
Good point about the token, in that case yes let's backporting as technically this is potentially leaking sensitive route parameters. |
Preserve
referrer: ''when constructing and cloning HttpRequest.An empty string is a valid Fetch referrer value and is documented by Angular as the way to omit referrer information for sensitive requests. The previous truthy checks treated it as if the option was not provided, causing requests to fall back to the browser default referrer behavior.
See https://developer.mozilla.org/en-US/docs/Web/API/RequestInit#referrer