Skip to content

Commit

Permalink
Merge pull request from GHSA-3787-6prv-h9w3
Browse files Browse the repository at this point in the history
Signed-off-by: Matteo Collina <hello@matteocollina.com>
  • Loading branch information
mcollina authored Feb 5, 2024
1 parent 5db527a commit b9da3e4
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 2 deletions.
3 changes: 3 additions & 0 deletions lib/fetch/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -1326,6 +1326,9 @@ function httpRedirectFetch (fetchParams, response) {
// https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
request.headersList.delete('authorization', true)

// https://fetch.spec.whatwg.org/#authentication-entries
request.headersList.delete('proxy-authorization', true)

// "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement.
request.headersList.delete('cookie', true)
request.headersList.delete('host', true)
Expand Down
6 changes: 4 additions & 2 deletions test/fetch/redirect-cross-origin-header.js
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,12 @@ const { once } = require('node:events')
const { fetch } = require('../..')

test('Cross-origin redirects clear forbidden headers', async (t) => {
const { strictEqual } = tspl(t, { plan: 5 })
const { strictEqual } = tspl(t, { plan: 6 })

const server1 = createServer((req, res) => {
strictEqual(req.headers.cookie, undefined)
strictEqual(req.headers.authorization, undefined)
strictEqual(req.headers['proxy-authorization'], undefined)

res.end('redirected')
}).listen(0)
Expand Down Expand Up @@ -40,7 +41,8 @@ test('Cross-origin redirects clear forbidden headers', async (t) => {
const res = await fetch(`http://localhost:${server2.address().port}`, {
headers: {
Authorization: 'test',
Cookie: 'ddd=dddd'
Cookie: 'ddd=dddd',
'Proxy-Authorization': 'test'
}
})

Expand Down

0 comments on commit b9da3e4

Please sign in to comment.