fix(ext/fetch): no auth on cross origin redirect

Spec change: whatwg/fetch#1544
lucacasonato · Nov 21, 2022 · cc513dc · cc513dc
1 parent a300b96
commit cc513dc
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/ext/fetch/26_fetch.js b/ext/fetch/26_fetch.js
@@ -308,6 +308,16 @@
     return response;
   }
 
+  /**
+   * @param {URL} a
+   * @param {URL} b
+   * @returns {boolean}
+   */
+  function isSameOrigin(a, b) {
+    if (a.origin === null) return false;
+    return a.origin === b.origin;
+  }
+
   /**
    * @param {InnerRequest} request
    * @param {InnerResponse} response
@@ -366,6 +376,14 @@
         }
       }
     }
+    if (!isSameOrigin(request.currentUrl(), locationURL)) {
+      for (let i = 0; i < request.headerList.length; i++) {
+        if (byteLowerCase(request.headerList[i][0]) == "authorization") {
+          ArrayPrototypeSplice(request.headerList, i, 1);
+          i--;
+        }
+      }
+    }
     if (request.body !== null) {
       const res = extractBody(request.body.source);
       request.body = res.body;