diff --git a/lib/handler/redirect.js b/lib/handler/redirect.js index 998a8c2352b..a464e052dc7 100644 --- a/lib/handler/redirect.js +++ b/lib/handler/redirect.js @@ -186,7 +186,8 @@ function shouldRemoveHeader (header, removeContent, unknownOrigin) { return ( (header.length === 4 && header.toString().toLowerCase() === 'host') || (removeContent && header.toString().toLowerCase().indexOf('content-') === 0) || - (unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') + (unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') || + (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie') ) } diff --git a/test/redirect-request.js b/test/redirect-request.js index 73c8cdbfb36..930f6512971 100644 --- a/test/redirect-request.js +++ b/test/redirect-request.js @@ -7,7 +7,8 @@ const { startRedirectingWithBodyServer, startRedirectingChainServers, startRedirectingWithoutLocationServer, - startRedirectingWithAuthorization + startRedirectingWithAuthorization, + startRedirectingWithCookie } = require('./utils/redirecting-servers') const { createReadable, createReadableStream } = require('./utils/stream') @@ -489,3 +490,22 @@ t.test('removes authorization header on third party origin', async t => { t.equal(body, '') }) + +t.test('removes cookie header on third party origin', async t => { + t.plan(1) + + const [server1] = await startRedirectingWithCookie(t, 'a=b') + const { body: bodyStream } = await undici.request(`http://${server1}`, { + maxRedirections: 10, + headers: { + cookie: 'a=b' + } + }) + + let body = '' + for await (const b of bodyStream) { + body += b + } + + t.equal(body, '') +}) diff --git a/test/redirect-stream.js b/test/redirect-stream.js index ac60c70197f..abb778c2c8f 100644 --- a/test/redirect-stream.js +++ b/test/redirect-stream.js @@ -7,7 +7,8 @@ const { startRedirectingWithBodyServer, startRedirectingChainServers, startRedirectingWithoutLocationServer, - startRedirectingWithAuthorization + startRedirectingWithAuthorization, + startRedirectingWithCookie } = require('./utils/redirecting-servers') const { createReadable, createWritable } = require('./utils/stream') @@ -401,3 +402,20 @@ t.test('removes authorization header on third party origin', async t => { t.equal(body.length, 0) }) + +t.test('removes cookie header on third party origin', async t => { + t.plan(1) + + const body = [] + + const [server1] = await startRedirectingWithCookie(t, 'a=b') + await stream(`http://${server1}`, { + maxRedirections: 10, + opaque: body, + headers: { + cookie: 'a=b' + } + }, ({ statusCode, headers, opaque }) => createWritable(opaque)) + + t.equal(body.length, 0) +}) diff --git a/test/utils/redirecting-servers.js b/test/utils/redirecting-servers.js index 02812a9759d..4b3f51cd69d 100644 --- a/test/utils/redirecting-servers.js +++ b/test/utils/redirecting-servers.js @@ -178,6 +178,29 @@ async function startRedirectingWithAuthorization (t, authorization) { return [server1, server2] } +async function startRedirectingWithCookie (t, cookie) { + const server1 = await startServer(t, (req, res) => { + if (req.headers.cookie !== cookie) { + res.statusCode = 403 + res.setHeader('Connection', 'close') + res.end('') + return + } + + res.statusCode = 301 + res.setHeader('Connection', 'close') + + res.setHeader('Location', `http://${server2}`) + res.end('') + }) + + const server2 = await startServer(t, (req, res) => { + res.end(req.headers.cookie || '') + }) + + return [server1, server2] +} + async function startRedirectingWithRelativePath (t) { const server = await startServer(t, (req, res) => { res.setHeader('Connection', 'close') @@ -206,5 +229,6 @@ module.exports = { startRedirectingWithoutLocationServer, startRedirectingChainServers, startRedirectingWithAuthorization, + startRedirectingWithCookie, startRedirectingWithRelativePath }