Description
Which @angular/* package(s) are the source of the bug?
core
Is this a regression?
Yes
Description
I am working through upgrading my project to angular 20, and have found that the REQUEST injection token provided for SSR no longer holds the referer header from the client, which is a required header for my API in order to correctly handle auth (alongside cookies). Without both headers I the server render of the page is always done as a logged out user, which would force me to do weird duplicate requests on the client in order to load the data again, which really defeats a major point of SSR.
This is the interceptor I have that is setting up the headers required on all API requests to properly handle authentication:
import { HttpInterceptorFn, HttpXsrfTokenExtractor } from '@angular/common/http';
import { inject, PLATFORM_ID, REQUEST } from '@angular/core';
import { isPlatformServer } from '@angular/common';
export const CSRF_TOKEN_NAME = 'X-XSRF-TOKEN';
export const httpTokenInterceptor: HttpInterceptorFn = (req, next) => {
const extractor = inject(HttpXsrfTokenExtractor);
const request = inject(REQUEST);
const platform = inject(PLATFORM_ID);
const csrfToken = extractor.getToken();
if (!req.withCredentials) {
req = req.clone({ withCredentials: true });
}
if (isPlatformServer(platform) && request) {
const currentReferer = req.headers.get('referer');
const cachedReferer = request.headers.get('referer');
const currentCookies = req.headers.get('cookie');
const cachedCookies = request.headers.get('cookie');
if (currentCookies === null && cachedCookies !== null) {
req = req.clone({ headers: req.headers.set('cookie', cachedCookies) });
}
if (currentReferer === null && cachedReferer !== null) {
req = req.clone({ headers: req.headers.set('referer', cachedReferer) });
}
}
if (csrfToken !== null && !req.headers.has(CSRF_TOKEN_NAME)) {
req = req.clone({ headers: req.headers.set(CSRF_TOKEN_NAME, csrfToken) });
req = req.clone({
headers: req.headers.set('Referer', FRONTEND_URL.replace(/\/$/, '')),
});
}
return next(req);
};This was working on Angular 19.1.7, but upgrading to 20.0.4 referer is not longer in request.headers.
Please provide a link to a minimal reproduction of the bug
No response
Please provide the exception or error you saw
Please provide the environment you discovered this bug in (run ng version)
_ _ ____ _ ___
/ \ _ __ __ _ _ _| | __ _ _ __ / ___| | |_ _|
/ △ \ | '_ \ / _` | | | | |/ _` | '__| | | | | | |
/ ___ \| | | | (_| | |_| | | (_| | | | |___| |___ | |
/_/ \_\_| |_|\__, |\__,_|_|\__,_|_| \____|_____|___|
|___/
Angular CLI: 20.0.3
Node: 24.2.0
Package Manager: yarn 1.22.22
OS: darwin arm64
Angular: 20.0.4
... animations, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... platform-server, router
Package Version
---------------------------------------------------------
@angular-devkit/architect 0.2000.3
@angular-devkit/build-angular 20.0.3
@angular-devkit/core 20.0.3
@angular-devkit/schematics 20.0.3
@angular/cdk 20.0.3
@angular/cli 20.0.3
@angular/material 20.0.3
@angular/ssr 20.0.3
@schematics/angular 20.0.3
rxjs 7.8.2
typescript 5.8.3
zone.js 0.15.0
Anything else?
No response