diff --git a/lib/fetch/request.js b/lib/fetch/request.js index b8b6d17c5f9..9764871b6f6 100644 --- a/lib/fetch/request.js +++ b/lib/fetch/request.js @@ -9,7 +9,8 @@ const util = require('../core/util') const { isValidHTTPToken, sameOrigin, - normalizeMethod + normalizeMethod, + makePolicyContainer } = require('./util') const { forbiddenMethods, @@ -51,13 +52,14 @@ class Request { input = webidl.converters.RequestInfo(input) init = webidl.converters.RequestInit(init) - // TODO + // https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object this[kRealm] = { settingsObject: { baseUrl: getGlobalOrigin(), get origin () { return this.baseUrl?.origin - } + }, + policyContainer: makePolicyContainer() } } diff --git a/lib/fetch/util.js b/lib/fetch/util.js index 9987e37ea74..2d8977f17ba 100644 --- a/lib/fetch/util.js +++ b/lib/fetch/util.js @@ -330,22 +330,26 @@ function createOpaqueTimingInfo (timingInfo) { // https://html.spec.whatwg.org/multipage/origin.html#policy-container function makePolicyContainer () { - // TODO - return {} + // Note: the fetch spec doesn't make use of embedder policy or CSP list + return { + referrerPolicy: 'strict-origin-when-cross-origin' + } } // https://html.spec.whatwg.org/multipage/origin.html#clone-a-policy-container -function clonePolicyContainer () { - // TODO - return {} +function clonePolicyContainer (policyContainer) { + return { + referrerPolicy: policyContainer.referrerPolicy + } } // https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer function determineRequestsReferrer (request) { // 1. Let policy be request's referrer policy. - // TODO(@KhafraDev): referrerPolicy is supposed to be non-null & not an empty string. - // this is because we don't implement policyContainer. - const policy = request.referrerPolicy ?? 'strict-origin-when-cross-origin' + const policy = request.referrerPolicy + + // Note: policy cannot (shouldn't) be null or an empty string. + assert(policy) // 2. Let environment be request’s client.