Update triage state with issue #18 security bug analysis

[BodenMcHale]

Summary

Updated the triage state tracking file to record the latest triage run and document the analysis of issue #18, a security bug related to the no-referrer-when-downgrade policy in the CSP rules.

Changes

• Updated last_run timestamp to 2026-05-26T05:45:00Z
• Updated last_commit hash to reflect the latest commit
• Added new action entry for issue [REVIEW] Referrer-Policy: no-referrer-when-downgrade classified as "strong" — awards full score for the historical browser default that leaks full URLs cross-origin #18:
  • Identified no-referrer-when-downgrade in strongValues at src/rules.ts:113
  • Located corresponding test coverage at test/analyzer.test.ts:245-248
  • Documented fix path: remove from strongValues and update test expectations (score:5/warning)
• Added skipped issues log entries for issues [REVIEW] HSTS: max-age=0 (HSTS revocation) scores status 'good' due to bonus points from includeSubDomains and preload #17, [REVIEW] CSP: wildcard (*) detection covers only default-src and script-src — connect-src *, form-action *, and mid-policy wildcards silently pass #16, [REVIEW] Cross-Origin Policies: scored by presence only — unsafe-none / cross-origin get full credit #8, and [REVIEW] Permissions-Policy tests: 4 assertions broken by merge regression — main branch CI is red #15:
  • Issues [REVIEW] HSTS: max-age=0 (HSTS revocation) scores status 'good' due to bonus points from includeSubDomains and preload #17, [REVIEW] CSP: wildcard (*) detection covers only default-src and script-src — connect-src *, form-action *, and mid-policy wildcards silently pass #16, and [REVIEW] Cross-Origin Policies: scored by presence only — unsafe-none / cross-origin get full credit #8 deprioritized in favor of [REVIEW] Referrer-Policy: no-referrer-when-downgrade classified as "strong" — awards full score for the historical browser default that leaks full URLs cross-origin #18 (security bug with fewer comments)
  • Issue [REVIEW] Permissions-Policy tests: 4 assertions broken by merge regression — main branch CI is red #15 (correctness bug, Priority 2) ranked below [REVIEW] Referrer-Policy: no-referrer-when-downgrade classified as "strong" — awards full score for the historical browser default that leaks full URLs cross-origin #18 (security bug, Priority 1)

Implementation Details

The triage state now reflects a prioritization decision where issue #18 was selected as the top candidate for action due to its security classification and lower comment count compared to other open issues. The fix involves removing a potentially problematic referrer policy from the strong values list and updating corresponding test assertions.

https://claude.ai/code/session_01FnCagxV2wEg8X1nHtX9uwC