Skip to content

Commit

Permalink
Merge pull request from GHSA-3787-6prv-h9w3
Browse files Browse the repository at this point in the history
Signed-off-by: Matteo Collina <hello@matteocollina.com>
  • Loading branch information
mcollina committed Feb 5, 2024
1 parent 9a14e5f commit d3aa574
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 2 deletions.
3 changes: 3 additions & 0 deletions lib/fetch/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -1203,6 +1203,9 @@ function httpRedirectFetch (fetchParams, response) {
// https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
request.headersList.delete('authorization')

// https://fetch.spec.whatwg.org/#authentication-entries
request.headersList.delete('proxy-authorization', true)

// "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement.
request.headersList.delete('cookie')
request.headersList.delete('host')
Expand Down
6 changes: 4 additions & 2 deletions test/fetch/redirect-cross-origin-header.js
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,12 @@ const { once } = require('events')
const { fetch } = require('../..')

test('Cross-origin redirects clear forbidden headers', async (t) => {
t.plan(5)
t.plan(6)

const server1 = createServer((req, res) => {
t.equal(req.headers.cookie, undefined)
t.equal(req.headers.authorization, undefined)
t.equal(req.headers['proxy-authorization'], undefined)

res.end('redirected')
}).listen(0)
Expand Down Expand Up @@ -39,7 +40,8 @@ test('Cross-origin redirects clear forbidden headers', async (t) => {
const res = await fetch(`http://localhost:${server2.address().port}`, {
headers: {
Authorization: 'test',
Cookie: 'ddd=dddd'
Cookie: 'ddd=dddd',
'Proxy-Authorization': 'test'
}
})

Expand Down

0 comments on commit d3aa574

Please sign in to comment.