Added uTests & isCloudflareWorker usage comments

Author: DellaBitta

.changeset/khaki-numbers-nail.md

@@ -3,4 +3,4 @@
 '@firebase/util': minor
 ---
 
-Suppress the use of the `fetch` parameter `referrPolicy` within Auth for `fetch` requests originating from Cloudflare Workers. Clouldflare Worker environments do not support this parameter and throw when it's used.
+Suppress the use of the `fetch` parameter `referrerPolicy` within Auth for `fetch` requests originating from Cloudflare Workers. Clouldflare Worker environments do not support this parameter and throw when it's used.

packages/auth/src/api/index.test.ts

@@ -22,6 +22,7 @@ import { useFakeTimers } from 'sinon';
 import sinonChai from 'sinon-chai';
 
 import { FirebaseError, getUA } from '@firebase/util';
+import * as utils from '@firebase/util';
 
 import { mockEndpoint } from '../../test/helpers/api/helper';
 import { testAuth, TestAuth } from '../../test/helpers/mock_auth';
@@ -308,6 +309,66 @@ describe('api/_performApiRequest', () => {
     });
   });
 
+  context('referer policy exists on fetch request', () => {
+    afterEach(mockFetch.tearDown);
+
+    it('should have referrerPolicy set', async () => {
+      /* eslint-disable  no-var */
+      var referrerPolicySet: boolean = false;
+      /* eslint-enable no-var */
+      mockFetch.setUpWithOverride(
+        (input: RequestInfo | URL, request?: RequestInit) => {
+          if (request !== undefined && request.referrerPolicy !== undefined) {
+            referrerPolicySet = true;
+          }
+          return new Promise<never>((_, reject) =>
+            reject(new Error('network error'))
+          );
+        }
+      );
+      const promise = _performApiRequest(
+        auth,
+        HttpMethod.POST,
+        Endpoint.SIGN_UP,
+        request
+      );
+      await expect(promise).to.be.rejectedWith(
+        FirebaseError,
+        'auth/network-request-failed'
+      );
+      expect(referrerPolicySet).to.be.true;
+    });
+
+    it('should not have referrerPolicy set on Cloudflare workers', async () => {
+      sinon.stub(utils, 'isCloudflareWorker').returns(true);
+      /* eslint-disable  no-var */
+      var referrerPolicySet: boolean = false;
+      /* eslint-enable  no-var */
+      mockFetch.setUpWithOverride(
+        (input: RequestInfo | URL, request?: RequestInit) => {
+          if (request !== undefined && request.referrerPolicy !== undefined) {
+            referrerPolicySet = true;
+          }
+          return new Promise<never>((_, reject) =>
+            reject(new Error('network error'))
+          );
+        }
+      );
+      const promise = _performApiRequest(
+        auth,
+        HttpMethod.POST,
+        Endpoint.SIGN_UP,
+        request
+      );
+      await expect(promise).to.be.rejectedWith(
+        FirebaseError,
+        'auth/network-request-failed'
+      );
+      expect(referrerPolicySet).to.be.false;
+      sinon.restore();
+    });
+  });
+
   context('with network issues', () => {
     afterEach(mockFetch.tearDown);
 

packages/auth/src/api/index.ts

@@ -154,6 +154,10 @@ export async function _performApiRequest<T, V>(
       ...body
     };
 
+    /* Security-conscious server-side frameworks tend to have built in mitigations for referrer
+       problems". See the Cloudflare GitHub issue #487: Error: The 'referrerPolicy' field on
+       'RequestInitializerDict' is not implemented."
+       https://github.com/cloudflare/next-on-pages/issues/487 */
     if (!isCloudflareWorker()) {
       fetchArgs.referrerPolicy = 'no-referrer';
     }