From 28802387292baee467e042e168d92597b5bbbe3d Mon Sep 17 00:00:00 2001
From: "Khang Vo (doublevkay)" <45411113+vovikhangcdv@users.noreply.github.com>
Date: Sun, 31 Jul 2022 15:01:29 +0700
Subject: [PATCH] fix: ReDoS referrer (#1611)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix ReDoS referrer

* Update src/utils/referrer.js

Eliminate regex and use string matcher

Co-authored-by: Linus Unnebäck <linus@folkdatorn.se>

Co-authored-by: Khang. Võ Vĩ <khangvv@vng.com.vn>
Co-authored-by: Linus Unnebäck <linus@folkdatorn.se>
---
 src/utils/referrer.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/utils/referrer.js b/src/utils/referrer.js
index c8c668671..6741f2fcc 100644
--- a/src/utils/referrer.js
+++ b/src/utils/referrer.js
@@ -119,7 +119,7 @@ export function isOriginPotentiallyTrustworthy(url) {
 	// 5. If origin's host component is "localhost" or falls within ".localhost", and the user agent conforms to the name resolution rules in [let-localhost-be-localhost], return "Potentially Trustworthy".
 	// We are returning FALSE here because we cannot ensure conformance to
 	// let-localhost-be-loalhost (https://tools.ietf.org/html/draft-west-let-localhost-be-localhost)
-	if (/^(.+\.)*localhost$/.test(url.host)) {
+	if (url.host === 'localhost' || url.host.endsWith('.localhost')) {
 		return false;
 	}