Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When redirecting to a different host, strip Authorization header #274

Closed
bitinn opened this issue May 12, 2017 · 5 comments
Closed

When redirecting to a different host, strip Authorization header #274

bitinn opened this issue May 12, 2017 · 5 comments
Labels
Node-specific pending pr

Comments

@bitinn
Copy link
Collaborator

bitinn commented May 12, 2017

This is a tricky one, on the surface, security first, why would you want to do that?

But:

  • There isn't a Spec / RFC enforcing it.
  • Some single sign-on solutions even rely on it.

Request that do implement such a thing:

So does curl (but only when using a http proxy?)

Either way, I am not rushing to fix this, but a heads-up if anyone is using node-fetch for authorisation.
@bitinn bitinn added the on hold label May 12, 2017
@bitinn bitinn added pending pr and removed on hold labels Dec 11, 2017
@TimothyGu
Copy link
Collaborator

The reason why the Fetch Standard doesn't enforce it is because it doesn't allow fetching a URL with credentials in the first place. See Request() step 6.3:

  1. If input is a string, then run these substeps:
    1. Let parsedURL be the result of parsing input with baseURL.
    2. If parsedURL is failure, then throw a TypeError.
    3. If parsedURL includes credentials, then throw a TypeError.

I think we should make this change.

@TimothyGu TimothyGu mentioned this issue Mar 28, 2018
Closed
@bitinn bitinn added this to the Version 3.0.0 milestone May 1, 2019
@aquark aquark mentioned this issue May 13, 2019
Closed
@Richienb Richienb self-assigned this Sep 10, 2019
@Richienb
Copy link
Member

@bitinn @TimothyGu For this issue, should we stick as close as possible to the spec and deny credentials or just strip the Authorisation header?

@bitinn
Copy link
Collaborator Author

bitinn commented Sep 12, 2019
edited

@Richienb I am slightly confused reading Timothy's comment, because mine was about stripping the Authorization header during redirect, he's saying credentials in the URL are denied (which is correct, MDN says Chrome denies it for all cases).

I am pretty sure in the Auth header scenario, Fetch is controlled by credentials mode, which we don't support yet.

So either we now support it, or we just dropped the credentials on redirect using either omit or same-origin policy.

(supporting credentials is probably a better choice, our current behavior is basically include, which would work in most cases, but not secure by default; but it's a bit of work to properly drop cookies and auth headers and TLS client-cert...)

@Richienb
Copy link
Member

@bitinn I'll add this to the roadmap.

@Richienb Richienb removed their assignment Sep 12, 2019
@xxczaki xxczaki mentioned this issue Sep 12, 2019
Closed
35 tasks
@jimmywarting jimmywarting mentioned this issue May 29, 2020
Closed
@jimmywarting jimmywarting removed this from the Version 3.0.0 milestone Aug 12, 2021
@bitinn bitinn mentioned this issue Jan 15, 2022
Merged
4 tasks
@bitinn
Copy link
Collaborator Author

bitinn commented Jan 15, 2022

close via #1449

@bitinn bitinn closed this as completed Jan 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Node-specific pending pr
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jimmywarting @bitinn @TimothyGu @Richienb