fix(referrer-policy): parse comma-separated fallback list per spec#75
Open
dmchaledev wants to merge 1 commit into
Open
fix(referrer-policy): parse comma-separated fallback list per spec#75dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
The Referrer-Policy header supports a comma-separated list of values; browsers use the last recognised policy in the list. The previous check compared the raw header string against a fixed set of strong values, so a valid header like "unsafe-url, strict-origin-when-cross-origin" was incorrectly graded as a warning even though browsers enforce the strict policy. The fix splits on commas, filters to recognised policy tokens, takes the last one as the effective value, and scores from that. The finding message now reports the effective policy rather than the raw string, which makes remediation guidance actionable. Adds three test cases covering: strong-last list earns full score, weak-last list earns warning, and finding text references effective value. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Vbd3LGpLmTBEfbH5gKD3Jx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
Referrer-Policyheader supports a comma-separated fallback list per the W3C spec. Browsers pick the last recognised value in the list, so this header:is effectively
strict-origin-when-cross-originin every modern browser — a strong, fully-compliant policy.Before this fix,
checkReferrerPolicycompared the raw string against the set of strong values. That string never matches, so the header above was incorrectly graded as awarningwith the finding:That's a false positive: the site is well-configured, but the tool tells it to fix something that isn't broken. Real-world CDNs (e.g. Cloudflare) and some frameworks emit multi-value Referrer-Policy headers, so this affects users in the wild.
Fix
src/rules.ts—checkReferrerPolicy:Tests
Three new cases added to
test/analyzer.test.ts:unsafe-url, strict-origin-when-cross-origingoodstrict-origin-when-cross-origin, unsafe-urlwarningAll 88 tests pass.
🤖 Generated with Claude Code
https://claude.ai/code/session_01Vbd3LGpLmTBEfbH5gKD3Jx
Generated by Claude Code