fix(web): Copilot レビュー対応 — Referer パース安全化・selfOrigin 取得改善

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Sora4431

apps/web/src/lib/server/validate-origin.test.ts

@@ -22,48 +22,50 @@ describe('validateOrigin', () => {
   });
 
   it('rejects requests with no Origin or Referer', () => {
-    const req = createRequest({ host: 'example.com' });
+    const req = createRequest();
     expect(() => validateOrigin(req)).toThrow();
   });
 
   it('allows requests with matching Origin (self-origin fallback)', () => {
     const req = createRequest({
       origin: 'https://example.com',
-      host: 'example.com',
     });
     expect(() => validateOrigin(req)).not.toThrow();
   });
 
   it('rejects requests with mismatched Origin (self-origin fallback)', () => {
     const req = createRequest({
       origin: 'https://evil.com',
-      host: 'example.com',
     });
     expect(() => validateOrigin(req)).toThrow();
   });
 
   it('allows requests with matching Referer when no Origin', () => {
     const req = createRequest({
       referer: 'https://example.com/page',
-      host: 'example.com',
     });
     expect(() => validateOrigin(req)).not.toThrow();
   });
 
   it('rejects requests with mismatched Referer', () => {
     const req = createRequest({
       referer: 'https://evil.com/page',
-      host: 'example.com',
     });
     expect(() => validateOrigin(req)).toThrow();
   });
 
+  it('rejects requests with malformed Referer', () => {
+    for (const referer of ['not-a-url', '/relative/path']) {
+      const req = createRequest({ referer });
+      expect(() => validateOrigin(req)).toThrow();
+    }
+  });
+
   describe('ALLOWED_ORIGINS', () => {
     it('allows origins in the allowlist', () => {
       mockEnv.ALLOWED_ORIGINS = 'https://app.example.com, https://staging.example.com';
       const req = createRequest({
         origin: 'https://app.example.com',
-        host: 'example.com',
       });
       expect(() => validateOrigin(req)).not.toThrow();
     });
@@ -72,25 +74,8 @@ describe('validateOrigin', () => {
       mockEnv.ALLOWED_ORIGINS = 'https://app.example.com';
       const req = createRequest({
         origin: 'https://evil.com',
-        host: 'example.com',
       });
       expect(() => validateOrigin(req)).toThrow();
     });
   });
-
-  it('uses x-forwarded-proto for self-origin comparison', () => {
-    const req = createRequest({
-      origin: 'http://example.com',
-      host: 'example.com',
-      'x-forwarded-proto': 'http',
-    });
-    expect(() => validateOrigin(req)).not.toThrow();
-  });
-
-  it('rejects when host header is missing and no ALLOWED_ORIGINS', () => {
-    const req = createRequest({
-      origin: 'https://example.com',
-    });
-    expect(() => validateOrigin(req)).toThrow();
-  });
 });

apps/web/src/lib/server/validate-origin.ts

@@ -13,7 +13,14 @@ export function validateOrigin(request: Request): void {
   const origin = request.headers.get('origin');
   const referer = request.headers.get('referer');
 
-  const requestOrigin = origin ?? (referer ? new URL(referer).origin : null);
+  let requestOrigin = origin;
+  if (!requestOrigin && referer) {
+    try {
+      requestOrigin = new URL(referer).origin;
+    } catch {
+      requestOrigin = null;
+    }
+  }
 
   if (!requestOrigin) {
     throw error(403, 'Forbidden');
@@ -27,13 +34,7 @@ export function validateOrigin(request: Request): void {
   }
 
   // Fallback: 自オリジンとの比較
-  const host = request.headers.get('host');
-  if (!host) {
-    throw error(403, 'Forbidden');
-  }
-
-  const protocol = request.headers.get('x-forwarded-proto') ?? 'https';
-  const selfOrigin = `${protocol}://${host}`;
+  const selfOrigin = new URL(request.url).origin;
 
   if (requestOrigin !== selfOrigin) {
     throw error(403, 'Forbidden');