Remove referrerPolicy from Cloudflare Worker fetch requests (#8393)

The Cloudflare Worker runner runtime doesn't support the `fetch` parameter `referrerPolicy` and throws if one is defined. In attempt to better support Cloudlfare, we will remove this parameter from `fetch` requests when we detect the SDK running in a Cloudflare runner enviornment.
firebase · Sep 11, 2024 · 16d62d4 · 16d62d4
1 parent ca4dbcf
commit 16d62d4
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 9 deletions.
diff --git a/.changeset/khaki-numbers-nail.md b/.changeset/khaki-numbers-nail.md
@@ -0,0 +1,6 @@
+---
+'@firebase/auth': patch
+'@firebase/util': minor
+---
+
+Suppress the use of the `fetch` parameter `referrerPolicy` within Auth for `fetch` requests originating from Cloudflare Workers. Clouldflare Worker environments do not support this parameter and throw when it's used.
diff --git a/common/api-review/util.api.md b/common/api-review/util.api.md
@@ -264,6 +264,11 @@ export function isBrowser(): boolean;
 // @public (undocumented)
 export function isBrowserExtension(): boolean;
 
+// Warning: (ae-missing-release-tag) "isCloudflareWorker" is exported by the package, but it is missing a release tag (@alpha, @beta, @public, or @internal)
+//
+// @public
+export function isCloudflareWorker(): boolean;
+
 // Warning: (ae-missing-release-tag) "isElectron" is exported by the package, but it is missing a release tag (@alpha, @beta, @public, or @internal)
 //
 // @public

diff --git a/packages/auth/src/api/index.test.ts b/packages/auth/src/api/index.test.ts
@@ -22,6 +22,7 @@ import { useFakeTimers } from 'sinon';
 import sinonChai from 'sinon-chai';
 
 import { FirebaseError, getUA } from '@firebase/util';
+import * as utils from '@firebase/util';
 
 import { mockEndpoint } from '../../test/helpers/api/helper';
 import { testAuth, TestAuth } from '../../test/helpers/mock_auth';
@@ -308,6 +309,52 @@ describe('api/_performApiRequest', () => {
     });
   });
 
+  context('referer policy exists on fetch request', () => {
+    afterEach(mockFetch.tearDown);
+
+    it('should have referrerPolicy set', async () => {
+      let referrerPolicySet: boolean = false;
+      mockFetch.setUpWithOverride(
+        (input: RequestInfo | URL, request?: RequestInit) => {
+          if (request !== undefined && request.referrerPolicy !== undefined) {
+            referrerPolicySet = true;
+          }
+          return Promise.resolve(new Response(JSON.stringify(serverResponse)));
+        }
+      );
+      const promise = _performApiRequest<typeof request, typeof serverResponse>(
+        auth,
+        HttpMethod.POST,
+        Endpoint.SIGN_UP,
+        request
+      );
+      await expect(promise).to.be.fulfilled;
+      expect(referrerPolicySet).to.be.true;
+    });
+
+    it('should not have referrerPolicy set on Cloudflare workers', async () => {
+      sinon.stub(utils, 'isCloudflareWorker').returns(true);
+      let referrerPolicySet: boolean = false;
+      mockFetch.setUpWithOverride(
+        (input: RequestInfo | URL, request?: RequestInit) => {
+          if (request !== undefined && request.referrerPolicy !== undefined) {
+            referrerPolicySet = true;
+          }
+          return Promise.resolve(new Response(JSON.stringify(serverResponse)));
+        }
+      );
+      const promise = _performApiRequest<typeof request, typeof serverResponse>(
+        auth,
+        HttpMethod.POST,
+        Endpoint.SIGN_UP,
+        request
+      );
+      await expect(promise).to.be.fulfilled;
+      expect(referrerPolicySet).to.be.false;
+      sinon.restore();
+    });
+  });
+
   context('with network issues', () => {
     afterEach(mockFetch.tearDown);
 

diff --git a/packages/auth/src/api/index.ts b/packages/auth/src/api/index.ts
@@ -15,7 +15,7 @@
  * limitations under the License.
  */
 
-import { FirebaseError, querystring } from '@firebase/util';
+import { FirebaseError, isCloudflareWorker, querystring } from '@firebase/util';
 
 import { AuthErrorCode, NamedErrorParams } from '../core/errors';
 import {
@@ -148,14 +148,23 @@ export async function _performApiRequest<T, V>(
       headers[HttpHeader.X_FIREBASE_LOCALE] = auth.languageCode;
     }
 
+    const fetchArgs: RequestInit = {
+      method,
+      headers,
+      ...body
+    };
+
+    /* Security-conscious server-side frameworks tend to have built in mitigations for referrer
+       problems". See the Cloudflare GitHub issue #487: Error: The 'referrerPolicy' field on
+       'RequestInitializerDict' is not implemented."
+       https://github.com/cloudflare/next-on-pages/issues/487 */
+    if (!isCloudflareWorker()) {
+      fetchArgs.referrerPolicy = 'no-referrer';
+    }
+
     return FetchProvider.fetch()(
       _getFinalTarget(auth, auth.config.apiHost, path, query),
-      {
-        method,
-        headers,
-        referrerPolicy: 'no-referrer',
-        ...body
-      }
+      fetchArgs
     );
   });
 }

diff --git a/packages/util/src/environment.ts b/packages/util/src/environment.ts
@@ -79,7 +79,7 @@ export function isNode(): boolean {
 }
 
 /**
- * Detect Browser Environment
+ * Detect Browser Environment.
  * Note: This will return true for certain test frameworks that are incompletely
  * mimicking a browser, and should not lead to assuming all browser APIs are
  * available.
@@ -89,7 +89,7 @@ export function isBrowser(): boolean {
 }
 
 /**
- * Detect Web Worker context
+ * Detect Web Worker context.
  */
 export function isWebWorker(): boolean {
   return (
@@ -99,6 +99,16 @@ export function isWebWorker(): boolean {
   );
 }
 
+/**
+ * Detect Cloudflare Worker context.
+ */
+export function isCloudflareWorker(): boolean {
+  return (
+    typeof navigator !== 'undefined' &&
+    navigator.userAgent === 'Cloudflare-Workers'
+  );
+}
+
 /**
  * Detect browser extensions (Chrome and Firefox at least).
  */