Merge pull request #387 from tomas/set-cookie-on-redirect-if-same-domain

Set cookie on redirect only if domain matches
tomas · Apr 7, 2022 · 9daa93f · 9daa93f
2 parents d93c442 + 1771c77
commit 9daa93f
Show file tree

Hide file tree

Showing 3 changed files with 82 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -360,7 +360,7 @@ Redirect options
 
 These options only apply if the `follow_max` (or `follow`) option is higher than 0.
 
- - `follow_set_cookies`      : Sends the cookies received in the `set-cookie` header as part of the following request. `false` by default.
+ - `follow_set_cookies`      : Sends the cookies received in the `set-cookie` header as part of the following request, *if hosts match*. `false` by default.
  - `follow_set_referer`      : Sets the 'Referer' header to the requested URI when following a redirect. `false` by default.
  - `follow_keep_method`      : If enabled, resends the request using the original verb instead of being rewritten to `get` with no data. `false` by default.
  - `follow_if_same_host`     : When true, Needle will only follow redirects that point to the same host as the original request. `false` by default.

diff --git a/lib/needle.js b/lib/needle.js
@@ -179,6 +179,10 @@ function resolve_url(href, base) {
   return url.resolve(base, href);
 }
 
+function domains_match(one, two) {
+  return one && two && resolve_url(one).host == resolve_url(two).host;
+}
+
 function host_and_ports_match(url1, url2) {
   if (url1.indexOf('http') < 0) url1 = 'http://' + url1;
   if (url2.indexOf('http') < 0) url2 = 'http://' + url2;
@@ -615,7 +619,7 @@ Needle.prototype.send_request = function(count, method, uri, config, post_data,
 
         // if follow_set_cookies is true, insert cookies in the next request's headers.
         // we set both the original request cookies plus any response cookies we might have received.
-        if (config.follow_set_cookies) {
+        if (config.follow_set_cookies && domains_match(headers.location, uri)) {
           var request_cookies = cookies.read(config.headers['cookie']);
           config.previous_resp_cookies = resp.cookies;
           if (Object.keys(request_cookies).length || Object.keys(resp.cookies || {}).length) {

diff --git a/test/redirect_spec.js b/test/redirect_spec.js
@@ -90,7 +90,6 @@ describe('redirects', function() {
         spies[current_protocol].callCount.should.eql(2);
         done();
       })
-
     }
 
     function followed_other_protocol(done) {
@@ -193,8 +192,6 @@ describe('redirects', function() {
           opts = { follow: value };
         })
 
-
-
         describe('and redirected to the same path on same host and protocol', function() {
           before(function() {
             location = url;
@@ -258,8 +255,26 @@ describe('redirects', function() {
 
           it('sends a GET request with no data', function(done) {
             send_request(opts, function(err, resp) {
-              spies.http.args[0][0].method.should.eql('GET');
               // spy.args[0][3].should.eql(null);
+              spies.http.args[0][0].method.should.eql('GET');
+              done();
+            })
+          })
+
+          it('does not resend cookies if follow_set_cookies is false', function(done) {
+            opts.cookies = {foo: 'bar'};
+            opts.follow_set_cookies = false;
+            send_request(opts, function(err, resp) {
+              should.not.exist(spies.http.args[0][0].headers['cookie']);
+              done();
+            })
+          })
+
+          it('resends cookies if follow_set_cookies is true', function(done) {
+            opts.cookies = {foo: 'bar'};
+            opts.follow_set_cookies = true;
+            send_request(opts, function(err, resp) {
+              spies.http.args[0][0].headers['cookie'].should.eql('foo=bar')
               done();
             })
           })
@@ -285,8 +300,26 @@ describe('redirects', function() {
 
           it('sets Referer header when following redirect', function(done) {
             send_request(opts, function(err, resp) {
-              spies.http.args[0][0].headers['referer'].should.eql("http://" + host + ":8888/hello");
               // spies.http.args[0][3].should.eql({ foo: 'bar'});
+              spies.http.args[0][0].headers['referer'].should.eql("http://" + host + ":8888/hello");
+              done();
+            })
+          })
+
+          it('does not resend cookies if follow_set_cookies is false', function(done) {
+            opts.cookies = {foo: 'bar'};
+            opts.follow_set_cookies = false;
+            send_request(opts, function(err, resp) {
+              should.not.exist(spies.http.args[0][0].headers['cookie']);
+              done();
+            })
+          })
+
+          it('resends cookies if follow_set_cookies is true', function(done) {
+            opts.cookies = {foo: 'bar'};
+            opts.follow_set_cookies = true;
+            send_request(opts, function(err, resp) {
+              spies.http.args[0][0].headers['cookie'].should.eql('foo=bar')
               done();
             })
           })
@@ -318,6 +351,24 @@ describe('redirects', function() {
             })
           })
 
+          it('does not resend cookies if follow_set_cookies is false', function(done) {
+            opts.cookies = {foo: 'bar'};
+            opts.follow_set_cookies = false;
+            send_request(opts, function(err, resp) {
+              should.not.exist(spies.http.args[0][0].headers['cookie']);
+              done();
+            })
+          })
+
+          it('resends cookies if follow_set_cookies is true', function(done) {
+            opts.cookies = {foo: 'bar'};
+            opts.follow_set_cookies = true;
+            send_request(opts, function(err, resp) {
+              spies.http.args[0][0].headers['cookie'].should.eql('foo=bar')
+              done();
+            })
+          })
+
         })
 
       })
@@ -333,7 +384,17 @@ describe('redirects', function() {
           before(function() {
             location = url.replace(host, hostname);
           })
+
           it('follows redirect', followed_same_protocol);
+
+          it('does not resend cookies even if follow_set_cookies is true', function(done) {
+            opts.cookies = {foo: 'bar'};
+            opts.follow_set_cookies = true;
+            send_request(opts, function(err, resp) {
+              should.not.exist(spies.http.args[0][0].headers['cookie']);
+              done();
+            })
+          })
         })
 
       })
@@ -366,7 +427,17 @@ describe('redirects', function() {
           before(function() {
             location = url.replace(host, hostname).replace(protocol, other_protocol).replace(ports[protocol], ports[other_protocol]);
           })
+
           it('follows redirect', followed_other_protocol);
+
+          it('does not resend cookies even if follow_set_cookies is true', function(done) {
+            opts.cookies = {foo: 'bar'};
+            opts.follow_set_cookies = true;
+            send_request(opts, function(err, resp) {
+              should.not.exist(spies.http.args[0][0].headers['cookie']);
+              done();
+            })
+          })
         })
 
       })