Skip to content

[Backport 21.2.x] preserve referrer & referrerPolicy metadata in asset requests#69482

Open
SkyZeroZx wants to merge 2 commits into
angular:21.2.xfrom
SkyZeroZx:backport-69413-21.2.x
Open

[Backport 21.2.x] preserve referrer & referrerPolicy metadata in asset requests#69482
SkyZeroZx wants to merge 2 commits into
angular:21.2.xfrom
SkyZeroZx:backport-69413-21.2.x

Conversation

@SkyZeroZx

@SkyZeroZx SkyZeroZx commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Backport of #69413

SkyZeroZx added 2 commits June 23, 2026 07:46
@SkyZeroZx
fix(service-worker): preserve referrer in asset requests
0738af2 
Preserve referrer metadata when the service worker reconstructs asset requests for cache-busted and redirected asset fetches.

For example, an attacker with access to asset host logs could receive a reset token embedded in a page URL if the reconstructed request falls back to default referrer behavior instead of carrying referrer: ''.

(cherry picked from commit 99ad47e)
@SkyZeroZx
fix(service-worker): preserve referrer policy in asset requests
364c8f8 
Preserve explicit referrer policy when the service worker reconstructs asset requests for cache-busted and redirected asset fetches.

For example, an application can load a script or image with referrerPolicy: 'same-origin' or 'origin' to limit referrer data. Dropping that policy can expose more of the current URL to that resource host.

(cherry picked from commit a7f52e5)
@pullapprove pullapprove Bot requested a review from JeanMeche June 23, 2026 12:55
@angular-robot angular-robot Bot added the area: service-worker Issues related to the @angular/service-worker package label Jun 23, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jun 23, 2026
@SkyZeroZx SkyZeroZx changed the title [Backport 21.2.x] fix(service-worker): preserve referrer in asset requests [Backport 21.2.x] preserve referrer & referrerPolicy metadata in asset requests Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JeanMeche JeanMeche Awaiting requested review from JeanMeche

Assignees

No one assigned

Labels

area: service-worker Issues related to the @angular/service-worker package

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

1 participant

@SkyZeroZx