Skip to content

fix(node): strip credentials on cross-origin 307/308 redirects#1848

Open
greymoth-jp wants to merge 1 commit into
forwardemail:masterfrom
greymoth-jp:fix/cross-origin-redirect-credentials
Open

fix(node): strip credentials on cross-origin 307/308 redirects#1848
greymoth-jp wants to merge 1 commit into
forwardemail:masterfrom
greymoth-jp:fix/cross-origin-redirect-credentials

Conversation

@greymoth-jp

Copy link
Copy Markdown

Summary

Request.prototype._redirect drops Authorization and Cookie when a redirect crosses an origin, but only for 301, 302 and 303. Those branches call utils.cleanHeader(headers, changesOrigin), which removes the two credential headers when changesOrigin is true.

307 and 308 preserve the method and body, so they skip cleanHeader. As a side effect they also skip the credential stripping, and the original Authorization / Cookie headers are re-sent to the redirect target. A server can answer with a 307/308 that points at a different origin and read the caller's credentials.

Fix

Strip Authorization and Cookie after the status-specific handling whenever the target origin differs, so every redirect code behaves the same way. It is a no-op for 301/302/303, which already remove them through cleanHeader.

Test

test/node/redirects-other-host.js already exercises cross-host 301/302/303/307/308 redirects. The second origin now reflects the Authorization and Cookie it receives, and a new block sends both headers, follows a cross-host redirect for each status code, and asserts the other host never sees them. Without the change the 307 and 308 cases fail (the headers arrive at the other host); with it all five pass.

`_redirect` runs `cleanHeader(headers, changesOrigin)` for 301, 302 and
303 responses, which drops `Authorization` and `Cookie` when the redirect
crosses an origin. The 307 and 308 branches keep the method and body, so
they skip `cleanHeader` and re-sent both headers to the new host, leaking
credentials to a third-party origin.

Strip `Authorization` and `Cookie` after the status-specific handling
whenever the target origin differs, so every redirect code behaves the
same way. This is a no-op for 301/302/303, which already remove them.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant