Skip to content

Commit fddad0e

Browse files
victalGuilherme Victal
victal
and
Guilherme Victal
authored
fix(headers): don't forward secure headers on protocol change (#1605)
backport for #1599 to the 2.x branch Co-authored-by: Guilherme Victal <[email protected]>
1 parent 50536d1 commit fddad0e

File tree

2 files changed

+38
-1
lines changed

2 files changed

+38
-1
lines changed

src/index.js

+15-1
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,20 @@ const isDomainOrSubdomain = (destination, original) => {
3636
);
3737
};
3838

39+
/**
40+
* isSameProtocol reports whether the two provided URLs use the same protocol.
41+
*
42+
* Both domains must already be in canonical form.
43+
* @param {string|URL} original
44+
* @param {string|URL} destination
45+
*/
46+
const isSameProtocol = (destination, original) => {
47+
const orig = new URL(original).protocol;
48+
const dest = new URL(destination).protocol;
49+
50+
return orig === dest;
51+
};
52+
3953

4054
/**
4155
* Fetch function
@@ -214,7 +228,7 @@ export default function fetch(url, opts) {
214228
size: request.size
215229
};
216230

217-
if (!isDomainOrSubdomain(request.url, locationURL)) {
231+
if (!isDomainOrSubdomain(request.url, locationURL) || !isSameProtocol(request.url, locationURL)) {
218232
for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
219233
requestOpts.headers.delete(name);
220234
}

test/test.js

+23
Original file line numberDiff line numberDiff line change
@@ -1677,6 +1677,29 @@ describe('node-fetch', () => {
16771677
});
16781678
});
16791679

1680+
it('should not forward secure headers to changed protocol', async () => {
1681+
const res = await fetch('https://httpbin.org/redirect-to?url=http%3A%2F%2Fhttpbin.org%2Fget&status_code=302', {
1682+
headers: new Headers({
1683+
cookie: 'gets=removed',
1684+
cookie2: 'gets=removed',
1685+
authorization: 'gets=removed',
1686+
'www-authenticate': 'gets=removed',
1687+
'other-safe-headers': 'stays',
1688+
'x-foo': 'bar'
1689+
})
1690+
});
1691+
1692+
const headers = new Headers((await res.json()).headers);
1693+
// Safe headers are not removed
1694+
expect(headers.get('other-safe-headers')).to.equal('stays');
1695+
expect(headers.get('x-foo')).to.equal('bar');
1696+
// Unsafe headers should not have been sent to downgraded http
1697+
expect(headers.get('cookie')).to.equal(null);
1698+
expect(headers.get('cookie2')).to.equal(null);
1699+
expect(headers.get('www-authenticate')).to.equal(null);
1700+
expect(headers.get('authorization')).to.equal(null);
1701+
});
1702+
16801703
it('should forward secure headers to same host', () => {
16811704
return fetch(`${base}redirect-to/302/${base}inspect`, {
16821705
headers: new Headers({

0 commit comments

Comments
 (0)