From 1e54b8f5ecd2bf0cf863311ed2bbe13ffe3f17b8 Mon Sep 17 00:00:00 2001
From: SkyZeroZx <73321943+SkyZeroZx@users.noreply.github.com>
Date: Thu, 4 Jun 2026 22:37:21 -0500
Subject: [PATCH] fix(http): preserve empty referrer option in HttpRequest

Preserve `referrer: ''` when constructing and cloning HttpRequest.

An empty string is a valid Fetch referrer value and is documented by
Angular as the way to omit referrer information for sensitive requests.
The previous truthy checks treated it as if the option was not provided,
causing requests to fall back to the browser default referrer behavior.
---
 packages/common/http/src/request.ts       |  5 +++--
 packages/common/http/test/request_spec.ts | 11 +++++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/packages/common/http/src/request.ts b/packages/common/http/src/request.ts
index 137b7939ce7..16c5cbf6572 100644
--- a/packages/common/http/src/request.ts
+++ b/packages/common/http/src/request.ts
@@ -379,7 +379,7 @@ export class HttpRequest<T> implements HttpRequestOptions {
         this.integrity = options.integrity;
       }
 
-      if (options.referrer) {
+      if (options.referrer !== undefined) {
         this.referrer = options.referrer;
       }
 
@@ -555,7 +555,8 @@ export class HttpRequest<T> implements HttpRequestOptions {
     const mode = update.mode || this.mode;
     const redirect = update.redirect || this.redirect;
     const credentials = update.credentials || this.credentials;
-    const referrer = update.referrer || this.referrer;
+
+    const referrer = update.referrer ?? this.referrer;
     const integrity = update.integrity || this.integrity;
     const referrerPolicy = update.referrerPolicy || this.referrerPolicy;
     // Carefully handle the transferCache to differentiate between
diff --git a/packages/common/http/test/request_spec.ts b/packages/common/http/test/request_spec.ts
index 191f205267f..e701540b775 100644
--- a/packages/common/http/test/request_spec.ts
+++ b/packages/common/http/test/request_spec.ts
@@ -95,6 +95,10 @@ describe('HttpRequest', () => {
       const req = new HttpRequest('GET', '/test', {referrer: 'about:client'});
       expect(req.referrer).toBe('about:client');
     });
+    it('should preserve an empty string referrer (used to suppress the Referer header)', () => {
+      const req = new HttpRequest('GET', '/test', {referrer: ''});
+      expect(req.referrer).toBe('');
+    });
     it('should allow setting referrerPolicy option', () => {
       const req = new HttpRequest('GET', '/test', {referrerPolicy: 'no-referrer'});
       expect(req.referrerPolicy).toBe('no-referrer');
@@ -194,6 +198,13 @@ describe('HttpRequest', () => {
     it('and updates the referrer', () => {
       expect(req.clone({referrer: 'https://example.com'}).referrer).toBe('https://example.com');
     });
+    it('and preserves an existing empty string referrer when the update omits it', () => {
+      const emptyReferrerReq = new HttpRequest('GET', '/test', {referrer: ''});
+      expect(emptyReferrerReq.clone().referrer).toBe('');
+    });
+    it('and can update the referrer to an empty string', () => {
+      expect(req.clone({referrer: ''}).referrer).toBe('');
+    });
     it('and updates the integrity', () => {
       expect(req.clone({integrity: 'sha512-...'}).integrity).toBe('sha512-...');
     });