Skip to content

[Backport 20.3.x] preserve referrer & referrerPolicy metadata in asset requests#69483

Open
SkyZeroZx wants to merge 2 commits into
angular:20.3.xfrom
SkyZeroZx:backport-69413-20.3.x
Open

[Backport 20.3.x] preserve referrer & referrerPolicy metadata in asset requests#69483
SkyZeroZx wants to merge 2 commits into
angular:20.3.xfrom
SkyZeroZx:backport-69413-20.3.x

Conversation

@SkyZeroZx

@SkyZeroZx SkyZeroZx commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Backport of #69413

SkyZeroZx added 2 commits June 23, 2026 07:46
@SkyZeroZx
fix(service-worker): preserve referrer in asset requests
2934698 
Preserve referrer metadata when the service worker reconstructs asset requests for cache-busted and redirected asset fetches.

For example, an attacker with access to asset host logs could receive a reset token embedded in a page URL if the reconstructed request falls back to default referrer behavior instead of carrying referrer: ''.

(cherry picked from commit 99ad47e)
@SkyZeroZx
fix(service-worker): preserve referrer policy in asset requests
ab2a180 
Preserve explicit referrer policy when the service worker reconstructs asset requests for cache-busted and redirected asset fetches.

For example, an application can load a script or image with referrerPolicy: 'same-origin' or 'origin' to limit referrer data. Dropping that policy can expose more of the current URL to that resource host.

(cherry picked from commit a7f52e5)
@pullapprove pullapprove Bot requested a review from devversion June 23, 2026 12:56
@angular-robot angular-robot Bot added the area: service-worker Issues related to the @angular/service-worker package label Jun 23, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devversion devversion Awaiting requested review from devversion

Assignees

No one assigned

Labels

area: service-worker Issues related to the @angular/service-worker package

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

1 participant

@SkyZeroZx