referrer.js
11.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
import {isIP} from 'node:net';
/**
* @external URL
* @see {@link https://developer.mozilla.org/en-US/docs/Web/API/URL|URL}
*/
/**
* @module utils/referrer
* @private
*/
/**
* @see {@link https://w3c.github.io/webappsec-referrer-policy/#strip-url|Referrer Policy §8.4. Strip url for use as a referrer}
* @param {string} URL
* @param {boolean} [originOnly=false]
*/
export function stripURLForUseAsAReferrer(url, originOnly = false) {
// 1. If url is null, return no referrer.
if (url == null) { // eslint-disable-line no-eq-null, eqeqeq
return 'no-referrer';
}
url = new URL(url);
// 2. If url's scheme is a local scheme, then return no referrer.
if (/^(about|blob|data):$/.test(url.protocol)) {
return 'no-referrer';
}
// 3. Set url's username to the empty string.
url.username = '';
// 4. Set url's password to null.
// Note: `null` appears to be a mistake as this actually results in the password being `"null"`.
url.password = '';
// 5. Set url's fragment to null.
// Note: `null` appears to be a mistake as this actually results in the fragment being `"#null"`.
url.hash = '';
// 6. If the origin-only flag is true, then:
if (originOnly) {
// 6.1. Set url's path to null.
// Note: `null` appears to be a mistake as this actually results in the path being `"/null"`.
url.pathname = '';
// 6.2. Set url's query to null.
// Note: `null` appears to be a mistake as this actually results in the query being `"?null"`.
url.search = '';
}
// 7. Return url.
return url;
}
/**
* @see {@link https://w3c.github.io/webappsec-referrer-policy/#enumdef-referrerpolicy|enum ReferrerPolicy}
*/
export const ReferrerPolicy = new Set([
'',
'no-referrer',
'no-referrer-when-downgrade',
'same-origin',
'origin',
'strict-origin',
'origin-when-cross-origin',
'strict-origin-when-cross-origin',
'unsafe-url'
]);
/**
* @see {@link https://w3c.github.io/webappsec-referrer-policy/#default-referrer-policy|default referrer policy}
*/
export const DEFAULT_REFERRER_POLICY = 'strict-origin-when-cross-origin';
/**
* @see {@link https://w3c.github.io/webappsec-referrer-policy/#referrer-policies|Referrer Policy §3. Referrer Policies}
* @param {string} referrerPolicy
* @returns {string} referrerPolicy
*/
export function validateReferrerPolicy(referrerPolicy) {
if (!ReferrerPolicy.has(referrerPolicy)) {
throw new TypeError(`Invalid referrerPolicy: ${referrerPolicy}`);
}
return referrerPolicy;
}
/**
* @see {@link https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy|Referrer Policy §3.2. Is origin potentially trustworthy?}
* @param {external:URL} url
* @returns `true`: "Potentially Trustworthy", `false`: "Not Trustworthy"
*/
export function isOriginPotentiallyTrustworthy(url) {
// 1. If origin is an opaque origin, return "Not Trustworthy".
// Not applicable
// 2. Assert: origin is a tuple origin.
// Not for implementations
// 3. If origin's scheme is either "https" or "wss", return "Potentially Trustworthy".
if (/^(http|ws)s:$/.test(url.protocol)) {
return true;
}
// 4. If origin's host component matches one of the CIDR notations 127.0.0.0/8 or ::1/128 [RFC4632], return "Potentially Trustworthy".
const hostIp = url.host.replace(/(^\[)|(]$)/g, '');
const hostIPVersion = isIP(hostIp);
if (hostIPVersion === 4 && /^127\./.test(hostIp)) {
return true;
}
if (hostIPVersion === 6 && /^(((0+:){7})|(::(0+:){0,6}))0*1$/.test(hostIp)) {
return true;
}
// 5. If origin's host component is "localhost" or falls within ".localhost", and the user agent conforms to the name resolution rules in [let-localhost-be-localhost], return "Potentially Trustworthy".
// We are returning FALSE here because we cannot ensure conformance to
// let-localhost-be-loalhost (https://tools.ietf.org/html/draft-west-let-localhost-be-localhost)
if (/^(.+\.)*localhost$/.test(url.host)) {
return false;
}
// 6. If origin's scheme component is file, return "Potentially Trustworthy".
if (url.protocol === 'file:') {
return true;
}
// 7. If origin's scheme component is one which the user agent considers to be authenticated, return "Potentially Trustworthy".
// Not supported
// 8. If origin has been configured as a trustworthy origin, return "Potentially Trustworthy".
// Not supported
// 9. Return "Not Trustworthy".
return false;
}
/**
* @see {@link https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy|Referrer Policy §3.3. Is url potentially trustworthy?}
* @param {external:URL} url
* @returns `true`: "Potentially Trustworthy", `false`: "Not Trustworthy"
*/
export function isUrlPotentiallyTrustworthy(url) {
// 1. If url is "about:blank" or "about:srcdoc", return "Potentially Trustworthy".
if (/^about:(blank|srcdoc)$/.test(url)) {
return true;
}
// 2. If url's scheme is "data", return "Potentially Trustworthy".
if (url.protocol === 'data:') {
return true;
}
// Note: The origin of blob: and filesystem: URLs is the origin of the context in which they were
// created. Therefore, blobs created in a trustworthy origin will themselves be potentially
// trustworthy.
if (/^(blob|filesystem):$/.test(url.protocol)) {
return true;
}
// 3. Return the result of executing §3.2 Is origin potentially trustworthy? on url's origin.
return isOriginPotentiallyTrustworthy(url);
}
/**
* Modifies the referrerURL to enforce any extra security policy considerations.
* @see {@link https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer|Referrer Policy §8.3. Determine request's Referrer}, step 7
* @callback module:utils/referrer~referrerURLCallback
* @param {external:URL} referrerURL
* @returns {external:URL} modified referrerURL
*/
/**
* Modifies the referrerOrigin to enforce any extra security policy considerations.
* @see {@link https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer|Referrer Policy §8.3. Determine request's Referrer}, step 7
* @callback module:utils/referrer~referrerOriginCallback
* @param {external:URL} referrerOrigin
* @returns {external:URL} modified referrerOrigin
*/
/**
* @see {@link https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer|Referrer Policy §8.3. Determine request's Referrer}
* @param {Request} request
* @param {object} o
* @param {module:utils/referrer~referrerURLCallback} o.referrerURLCallback
* @param {module:utils/referrer~referrerOriginCallback} o.referrerOriginCallback
* @returns {external:URL} Request's referrer
*/
export function determineRequestsReferrer(request, {referrerURLCallback, referrerOriginCallback} = {}) {
// There are 2 notes in the specification about invalid pre-conditions. We return null, here, for
// these cases:
// > Note: If request's referrer is "no-referrer", Fetch will not call into this algorithm.
// > Note: If request's referrer policy is the empty string, Fetch will not call into this
// > algorithm.
if (request.referrer === 'no-referrer' || request.referrerPolicy === '') {
return null;
}
// 1. Let policy be request's associated referrer policy.
const policy = request.referrerPolicy;
// 2. Let environment be request's client.
// not applicable to node.js
// 3. Switch on request's referrer:
if (request.referrer === 'about:client') {
return 'no-referrer';
}
// "a URL": Let referrerSource be request's referrer.
const referrerSource = request.referrer;
// 4. Let request's referrerURL be the result of stripping referrerSource for use as a referrer.
let referrerURL = stripURLForUseAsAReferrer(referrerSource);
// 5. Let referrerOrigin be the result of stripping referrerSource for use as a referrer, with the
// origin-only flag set to true.
let referrerOrigin = stripURLForUseAsAReferrer(referrerSource, true);
// 6. If the result of serializing referrerURL is a string whose length is greater than 4096, set
// referrerURL to referrerOrigin.
if (referrerURL.toString().length > 4096) {
referrerURL = referrerOrigin;
}
// 7. The user agent MAY alter referrerURL or referrerOrigin at this point to enforce arbitrary
// policy considerations in the interests of minimizing data leakage. For example, the user
// agent could strip the URL down to an origin, modify its host, replace it with an empty
// string, etc.
if (referrerURLCallback) {
referrerURL = referrerURLCallback(referrerURL);
}
if (referrerOriginCallback) {
referrerOrigin = referrerOriginCallback(referrerOrigin);
}
// 8.Execute the statements corresponding to the value of policy:
const currentURL = new URL(request.url);
switch (policy) {
case 'no-referrer':
return 'no-referrer';
case 'origin':
return referrerOrigin;
case 'unsafe-url':
return referrerURL;
case 'strict-origin':
// 1. If referrerURL is a potentially trustworthy URL and request's current URL is not a
// potentially trustworthy URL, then return no referrer.
if (isUrlPotentiallyTrustworthy(referrerURL) && !isUrlPotentiallyTrustworthy(currentURL)) {
return 'no-referrer';
}
// 2. Return referrerOrigin.
return referrerOrigin.toString();
case 'strict-origin-when-cross-origin':
// 1. If the origin of referrerURL and the origin of request's current URL are the same, then
// return referrerURL.
if (referrerURL.origin === currentURL.origin) {
return referrerURL;
}
// 2. If referrerURL is a potentially trustworthy URL and request's current URL is not a
// potentially trustworthy URL, then return no referrer.
if (isUrlPotentiallyTrustworthy(referrerURL) && !isUrlPotentiallyTrustworthy(currentURL)) {
return 'no-referrer';
}
// 3. Return referrerOrigin.
return referrerOrigin;
case 'same-origin':
// 1. If the origin of referrerURL and the origin of request's current URL are the same, then
// return referrerURL.
if (referrerURL.origin === currentURL.origin) {
return referrerURL;
}
// 2. Return no referrer.
return 'no-referrer';
case 'origin-when-cross-origin':
// 1. If the origin of referrerURL and the origin of request's current URL are the same, then
// return referrerURL.
if (referrerURL.origin === currentURL.origin) {
return referrerURL;
}
// Return referrerOrigin.
return referrerOrigin;
case 'no-referrer-when-downgrade':
// 1. If referrerURL is a potentially trustworthy URL and request's current URL is not a
// potentially trustworthy URL, then return no referrer.
if (isUrlPotentiallyTrustworthy(referrerURL) && !isUrlPotentiallyTrustworthy(currentURL)) {
return 'no-referrer';
}
// 2. Return referrerURL.
return referrerURL;
default:
throw new TypeError(`Invalid referrerPolicy: ${policy}`);
}
}
/**
* @see {@link https://w3c.github.io/webappsec-referrer-policy/#parse-referrer-policy-from-header|Referrer Policy §8.1. Parse a referrer policy from a Referrer-Policy header}
* @param {Headers} headers Response headers
* @returns {string} policy
*/
export function parseReferrerPolicyFromHeader(headers) {
// 1. Let policy-tokens be the result of extracting header list values given `Referrer-Policy`
// and response’s header list.
const policyTokens = (headers.get('referrer-policy') || '').split(/[,\s]+/);
// 2. Let policy be the empty string.
let policy = '';
// 3. For each token in policy-tokens, if token is a referrer policy and token is not the empty
// string, then set policy to token.
// Note: This algorithm loops over multiple policy values to allow deployment of new policy
// values with fallbacks for older user agents, as described in § 11.1 Unknown Policy Values.
for (const token of policyTokens) {
if (token && ReferrerPolicy.has(token)) {
policy = token;
}
}
// 4. Return policy.
return policy;
}