Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ext/fetch): no auth on cross origin redirect #16745

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

fix(ext/fetch): no auth on cross origin redirect #16745

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
cc513dc
fix(ext/fetch): no auth on cross origin redirect
lucacasonato Nov 21, 2022
251555d
Merge branch 'main' into fetch_no_auth_cross_origin_redirect
aapoalas Jul 7, 2023
408dd7a
Merge branch 'main' into fetch_no_auth_cross_origin_redirect
bartlomieju Aug 27, 2023
a49b09c
Merge branch 'main' into fetch_no_auth_cross_origin_redirect
bartlomieju Aug 28, 2023
9dde766
update expectations.json
bartlomieju Aug 28, 2023
55b30ca
Merge branch 'main' into fetch_no_auth_cross_origin_redirect
dsherret Sep 18, 2023
c0fe17d
Merge branch 'main' into fetch_no_auth_cross_origin_redirect
aapoalas Oct 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
25 changes: 21 additions & 4 deletions ext/fetch/26_fetch.js
View file
Open in desktop
Expand Up @@ -348,6 +348,16 @@ async function mainFetch(req, recursive, terminator) {
return response;
}

/**
* @param {URL} a
* @param {URL} b
* @returns {boolean}
*/
function isSameOrigin(a, b) {
if (a.origin === null) return false;
return a.origin === b.origin;
}

/**
* @param {InnerRequest} request
* @param {InnerResponse} response
Expand Down Expand Up @@ -385,6 +395,7 @@ function httpRedirectFetch(request, response, terminator) {
"Can not redeliver a streaming request body after a redirect",
);
}
let clearBodyHeaders = false;
if (
((response.status === 301 || response.status === 302) &&
request.method === "POST") ||
Expand All @@ -394,12 +405,18 @@ function httpRedirectFetch(request, response, terminator) {
) {
request.method = "GET";
request.body = null;
clearBodyHeaders = true;
}
const noAuth = !isSameOrigin(request.currentUrl(), locationURL);
if (clearBodyHeaders || noAuth) {
for (let i = 0; i < request.headerList.length; i++) {
const headerName = byteLowerCase(request.headerList[i][0]);
if (
ArrayPrototypeIncludes(
REQUEST_BODY_HEADER_NAMES,
byteLowerCase(request.headerList[i][0]),
)
noAuth && headerName == "authorization" ||
clearBodyHeaders && ArrayPrototypeIncludes(
REQUEST_BODY_HEADER_NAMES,
headerName,
)
) {
ArrayPrototypeSplice(request.headerList, i, 1);
i--;
Expand Down
8 changes: 2 additions & 6 deletions tools/wpt/expectation.json
View file
Open in desktop
Expand Up @@ -6150,12 +6150,8 @@
"credentials": {
"authentication-basic.any.html": true,
"authentication-basic.any.worker.html": true,
"authentication-redirection.any.html": [
"getAuthorizationHeaderValue - cross origin redirection"
],
"authentication-redirection.any.worker.html": [
"getAuthorizationHeaderValue - cross origin redirection"
],
"authentication-redirection.any.html": true,
"authentication-redirection.any.worker.html": true,
"cookies.any.html": [
"Include mode: 1 cookie",
"Include mode: 2 cookies",
Expand Down