Ff111 fetch authorization cross origin

[hamishwillee]

From FF111 if a fetch() or XMLHttpRequest request is redirected cross-origin, then a developer-added Authorization HTTP header will be removed from the request. The header is not stripped if the request is redirected to the same origin.

There isn't any particularly great place to record this information. What I have done is added it as a note to the option.headers value for fetch() and in the description for XMLHttpRequest.setRequestHeader() - I think that is the most likely place it will be seen. This also gets a note in the Authorization header.

I've also added a release note.

Other docs work can be tracked in #22533

[github-actions]

Preview URLs

• /en-US/docs/Mozilla/Firefox/Releases/111
• /en-US/docs/Web/API/XMLHttpRequest/setRequestHeader
• /en-US/docs/Web/API/fetch
• /en-US/docs/Web/HTTP/Headers/Authorization

External URLs (2)

URL: /en-US/docs/Mozilla/Firefox/Releases/111
Title: Firefox 111 for developers

• https://bugzil.la/1802086 (2 times) (Note! This may be a new URL 👀)

---

URL: /en-US/docs/Web/API/fetch
Title: fetch()

• https://www.rfc-editor.org/rfc/rfc9110 (1 time) (Note! This may be a new URL 👀)

(comment last updated: 2023-03-10 03:26:27)

[hamishwillee]

FYI this is part of the same work as the stuff down in APIs for fetch(). But it is kind of separate in that it is at the HTTP layer in code, and this is where you might look for it.

[hamishwillee]

FYI, this is the only new content here - the rest is layout. All it does is note that if the authorization header is added it will be stripped.

[rhclayto]

Where is the best place to ask a question about this new feature? I am experiencing the Authorization header being stripped in Firefox Developer Edition, even though the response is not a cross-origin redirect. This is a request from a SPA using the Axios library to an API on the same subdomain & both using HTTPS. Setting network.fetch.redirect.stripAuthHeader = false makes it work again.

[Rumyra]

Thanks @hamishwillee