referrerPolicy unsafe-url is not being respected

[aldenquimby]

Bug Description

referrerPolicy unsafe-url is not being respected

Reproducible By

fetch('https://example.com', {
  referrer: 'https://google.com/hello/world',
  referrerPolicy: 'unsafe-url'
});

• request ends up with header referer: https://google.com/ (path is removed)

Expected Behavior

• request has header referer: https://google.com/hello/world

Environment

MacOS 14.7, Node v20

Additional context

• logic in determineRequestsReferrer looks good, which suggests something else is modifying referrer
• why does this code exist? it appears to forcefully block cross-origin referrers, regardless of policy:

  undici/lib/web/fetch/request.js

  Lines 280 to 292 in 02c61d2

  	// 3. If one of the following is true
  	// - parsedReferrer’s scheme is "about" and path is the string "client"
  	// - parsedReferrer’s origin is not same origin with origin
  	// then set request’s referrer to "client".
  	if (
  	(parsedReferrer.protocol === 'about:' && parsedReferrer.hostname === 'client') ||
  	(origin && !sameOrigin(parsedReferrer, environmentSettingsObject.settingsObject.baseUrl))
  	) {
  	request.referrer = 'client'
  	} else {
  	// 4. Otherwise, set request’s referrer to parsedReferrer.
  	request.referrer = parsedReferrer
  	}

[Uzlopak]

I have the feeling I worked on this like 2 weeks ago. Yes the referrerPolicy is not well tested.

[mcollina]

@Uzlopak might it be this is fixed on v7.0.0-alpha.3?

[aldenquimby]

@Uzlopak @mcollina I just tried with v7.0.0-alpha.3 locally, and it looks like it's working now! So I assume #3706 fixed this?

[Uzlopak]

Did we backport it?

[aldenquimby]

@Uzlopak looks like auto-backport failed: #3706 (comment)

I don't see it in https://github.com/nodejs/undici/releases/tag/v6.20.1 so I assume no one has done the manual backport yet

[KhafraDev]

We should add in your test case since our tests did not catch the bug nor the fix.