From 180fa003ab51cd7ddae80fc6a2b0e471094e699e Mon Sep 17 00:00:00 2001
From: SkyZeroZx <73321943+SkyZeroZx@users.noreply.github.com>
Date: Fri, 5 Jun 2026 09:52:47 -0500
Subject: [PATCH] fix(http): preserve empty referrer option in HttpRequest

Preserve referrer: '' when constructing and cloning HttpRequest.

An empty string is a valid Fetch referrer value and is documented by

Angular as the way to omit referrer information for sensitive requests.

The previous truthy checks treated it as if the option was not provided,

causing requests to fall back to the browser default referrer behavior.

(cherry picked from commit 1e54b8f5ecd2bf0cf863311ed2bbe13ffe3f17b8)
---
 packages/common/http/src/request.ts       |  5 +++--
 packages/common/http/test/request_spec.ts | 11 +++++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/packages/common/http/src/request.ts b/packages/common/http/src/request.ts
index 9938eab8ba08..c01d4671bd5f 100644
--- a/packages/common/http/src/request.ts
+++ b/packages/common/http/src/request.ts
@@ -516,7 +516,7 @@ export class HttpRequest<T> {
         this.integrity = options.integrity;
       }
 
-      if (options.referrer) {
+      if (options.referrer !== undefined) {
         this.referrer = options.referrer;
       }
 
@@ -720,7 +720,8 @@ export class HttpRequest<T> {
     const mode = update.mode || this.mode;
     const redirect = update.redirect || this.redirect;
     const credentials = update.credentials || this.credentials;
-    const referrer = update.referrer || this.referrer;
+
+    const referrer = update.referrer ?? this.referrer;
     const integrity = update.integrity || this.integrity;
     // Carefully handle the transferCache to differentiate between
     // `false` and `undefined` in the update args.
diff --git a/packages/common/http/test/request_spec.ts b/packages/common/http/test/request_spec.ts
index 67298006878b..8919fcb81893 100644
--- a/packages/common/http/test/request_spec.ts
+++ b/packages/common/http/test/request_spec.ts
@@ -95,6 +95,10 @@ describe('HttpRequest', () => {
       const req = new HttpRequest('GET', '/test', {referrer: 'about:client'});
       expect(req.referrer).toBe('about:client');
     });
+    it('should preserve an empty string referrer (used to suppress the Referer header)', () => {
+      const req = new HttpRequest('GET', '/test', {referrer: ''});
+      expect(req.referrer).toBe('');
+    });
   });
   describe('clone() copies the request', () => {
     const headers = new HttpHeaders({
@@ -169,6 +173,13 @@ describe('HttpRequest', () => {
     it('and updates the referrer', () => {
       expect(req.clone({referrer: 'https://example.com'}).referrer).toBe('https://example.com');
     });
+    it('and preserves an existing empty string referrer when the update omits it', () => {
+      const emptyReferrerReq = new HttpRequest('GET', '/test', {referrer: ''});
+      expect(emptyReferrerReq.clone().referrer).toBe('');
+    });
+    it('and can update the referrer to an empty string', () => {
+      expect(req.clone({referrer: ''}).referrer).toBe('');
+    });
     it('and updates the integrity', () => {
       expect(req.clone({integrity: 'sha512-...'}).integrity).toBe('sha512-...');
     });