From 1e18cafb136bbec7bf5ed6f4ff7c787f03468e66 Mon Sep 17 00:00:00 2001
From: Luca Casonato <hello@lcas.dev>
Date: Mon, 21 Nov 2022 17:55:11 +0100
Subject: [PATCH] fix(ext/fetch): no auth on cross origin redirect

Spec change: https://github.com/whatwg/fetch/pull/1544
---
 ext/fetch/26_fetch.js | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/ext/fetch/26_fetch.js b/ext/fetch/26_fetch.js
index e522079bf75d2f..f17373a0cc5f56 100644
--- a/ext/fetch/26_fetch.js
+++ b/ext/fetch/26_fetch.js
@@ -308,6 +308,16 @@
     return response;
   }
 
+  /**
+   * @param {URL} a
+   * @param {URL} b
+   * @returns {boolean}
+   */
+  function isSameOrigin(a, b) {
+    if (a.origin === null) return false;
+    return a.origin === b.origin;
+  }
+
   /**
    * @param {InnerRequest} request
    * @param {InnerResponse} response
@@ -366,6 +376,14 @@
         }
       }
     }
+    if (!isSameOrigin(request.currentUrl, locationURL)) {
+      for (let i = 0; i < request.headerList.length; i++) {
+        if (byteLowerCase(request.headerList[i][0]) == "authorization") {
+          ArrayPrototypeSplice(request.headerList, i, 1);
+          i--;
+        }
+      }
+    }
     if (request.body !== null) {
       const res = extractBody(request.body.source);
       request.body = res.body;