Skip to content

preserve referrer & referrerPolicy metadata in asset requests#69413

Open
SkyZeroZx wants to merge 2 commits into
angular:mainfrom
SkyZeroZx:fix-sw-referrer
Open

preserve referrer & referrerPolicy metadata in asset requests#69413
SkyZeroZx wants to merge 2 commits into
angular:mainfrom
SkyZeroZx:fix-sw-referrer

Conversation

@SkyZeroZx

@SkyZeroZx SkyZeroZx commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

fix(service-worker): preserve empty referrer in asset requests

Preserve explicit referrer: '' when the service worker reconstructs asset requests for cache-busted and redirected asset fetches.

For example, an attacker with access to asset host logs could receive a reset token embedded in a page URL if the reconstructed request falls back to the default referrer behavior.

Also, we can see a similar behavior in the recent fix for the HTTP client

See #69171 (comment)

fix(service-worker): preserve referrer policy in asset requests

Preserve explicit referrer policy when the service worker reconstructs asset requests for cache-busted and redirected asset fetches.

For example, an application can load a script or image with referrerPolicy: 'same-origin' or 'origin' to limit referrer data. Dropping that policy can expose more of the current URL to that resource host.

@SkyZeroZx
fix(service-worker): preserve referrer in asset requests
99ad47e 
Preserve referrer metadata when the service worker reconstructs asset requests for cache-busted and redirected asset fetches.

For example, an attacker with access to asset host logs could receive a reset token embedded in a page URL if the reconstructed request falls back to default referrer behavior instead of carrying referrer: ''.
@pullapprove pullapprove Bot requested a review from JeanMeche June 18, 2026 04:48
@angular-robot angular-robot Bot added the area: service-worker Issues related to the @angular/service-worker package label Jun 18, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jun 18, 2026
@SkyZeroZx
fix(service-worker): preserve referrer policy in asset requests
a7f52e5 
Preserve explicit referrer policy when the service worker reconstructs asset requests for cache-busted and redirected asset fetches.

For example, an application can load a script or image with referrerPolicy: 'same-origin' or 'origin' to limit referrer data. Dropping that policy can expose more of the current URL to that resource host.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JeanMeche JeanMeche Awaiting requested review from JeanMeche

Assignees

No one assigned

Labels

area: service-worker Issues related to the @angular/service-worker package

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

1 participant

@SkyZeroZx