express icon indicating copy to clipboard operation
express copied to clipboard

Published 20 hours ago verified publisher icon expressjs

express checks referrer first, then referer next

Open AnyhowStep opened this issue 5 years ago • 6 comments

Looking at this, https://github.com/expressjs/express/blob/master/lib/request.js#L79

It seems like express checks referrer (with two "r"s) first, then referer next. Is there a particular reason why the double-r is checked first?

It seems like single-r should be checked first because it's standard.

Another reason to check single-r first is because it's easier to spoof double-r than it is to spoof single-r (with a web browser, anyway). Some browsers block attempts to modify the single-r header. But I don't think any browser blocks attempts to spoof double-r.

If it were me, I'd even go as far as to not check double-r at all. But that would be a breaking change and one can easily do this by just accessing req.headers.referer and not using req.header().

I'm just curious why req.header() was made to behave this way.

AnyhowStep avatar Apr 29 '19 19:04 AnyhowStep

Hi @AnyhowStep thanks for your question. So the logic was added here: https://github.com/expressjs/express/commit/b65b0636aa2890f86b4ec7baddd289c9fb1ca043

At the time, there was a general effort floating around to "fix" the spelling of the header, and servers would back this effort by looking for the correctly-spelled header, which Express did.

Since that time, it never really took off and then with the rewriting of the RFC into the 72xx series, the misspelled name was solidified further.

I believe the special case can just be removed these days, only checking the misspelled, standard name. This can easily be landed in the 5.0 branch.

dougwilson avatar Apr 30 '19 04:04 dougwilson

Should we add a 5.x tag to keep track of this issue?

@dougwilson, I can make a PR to strip the "referrer" special casing out of https://github.com/expressjs/express/blob/5.0/lib/request.js if you want that changed. Let me know if you'd prefer it gone :)

rileyjshaw avatar Oct 30 '19 20:10 rileyjshaw

@rileyjshaw, I think it would be best to start with printing a deprecation warning when trying to access req.headers.referrer if it was set. That would probably be what we would merge in 5.0 with a removal in 6.0.

wesleytodd avatar Oct 30 '19 20:10 wesleytodd

@wesleytodd sounds good! Something like:

console.warn('Deprecation warning: the "Referrer" header is non-standard, and special-casing for it will be dropped in version 6.0. See https://github.com/expressjs/express/issues/3951 for further details.');

?

rileyjshaw avatar Oct 31 '19 17:10 rileyjshaw

Preferably more like this:

https://github.com/expressjs/express/blob/master/lib/application.js#L512

wesleytodd avatar Nov 01 '19 22:11 wesleytodd

@wesleytodd sounds good! Sorry for the delay, I just added a PR to the 5.0 branch (https://github.com/expressjs/express/pull/4106). Let me know if you'd like to see any changes.

rileyjshaw avatar Nov 21 '19 23:11 rileyjshaw