diff --git a/index.js b/index.js index 6f0c238..ecb05f7 100644 --- a/index.js +++ b/index.js @@ -392,9 +392,9 @@ RedirectableRequest.prototype._processResponse = function (response) { var redirectUrlParts = url.parse(redirectUrl); Object.assign(this._options, redirectUrlParts); - // Drop the Authorization header if redirecting to another domain + // Drop the confidential headers when redirecting to another domain if (!(redirectUrlParts.host === currentHost || isSubdomainOf(redirectUrlParts.host, currentHost))) { - removeMatchingHeaders(/^authorization$/i, this._options.headers); + removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers); } // Evaluate the beforeRedirect callback diff --git a/test/test.js b/test/test.js index 4e3db1d..9e8e45f 100644 --- a/test/test.js +++ b/test/test.js @@ -1319,215 +1319,208 @@ describe("follow-redirects", function () { }); }); - describe("when the client passes an Authorization header", function () { - it("ignores it when null", function () { - app.get("/a", redirectsTo(302, "http://localhost:3600/b")); - app.get("/b", function (req, res) { - res.end(JSON.stringify(req.headers)); - }); - - var opts = url.parse("http://127.0.0.1:3600/a"); - opts.headers = { - host: "localhost", - authorization: null, - }; - - return server.start(app) - .then(asPromise(function (resolve, reject) { - http.get(opts, resolve).on("error", reject); - })) - .then(asPromise(function (resolve, reject, res) { - res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); - })) - .then(function (str) { - var body = JSON.parse(str); - assert.equal(body.host, "localhost:3600"); - assert.equal(body.authorization, undefined); + [ + "Authorization", + "Cookie", + ].forEach(function (header) { + describe("when the client passes an header named " + header, function () { + it("ignores it when null", function () { + app.get("/a", redirectsTo(302, "http://localhost:3600/b")); + app.get("/b", function (req, res) { + res.end(JSON.stringify(req.headers)); }); - }); - it("keeps the header when redirected to the same host", function () { - app.get("/a", redirectsTo(302, "/b")); - app.get("/b", function (req, res) { - res.end(JSON.stringify(req.headers)); - }); + var opts = url.parse("http://127.0.0.1:3600/a"); + opts.headers = { host: "localhost" }; + opts.headers[header] = null; - var opts = url.parse("http://localhost:3600/a"); - opts.headers = { - authorization: "bearer my-token-1234", - }; + return server.start(app) + .then(asPromise(function (resolve, reject) { + http.get(opts, resolve).on("error", reject); + })) + .then(asPromise(function (resolve, reject, res) { + res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); + })) + .then(function (str) { + var body = JSON.parse(str); + assert.equal(body.host, "localhost:3600"); + assert.equal(body[header.toLowerCase()], undefined); + }); + }); - return server.start(app) - .then(asPromise(function (resolve, reject) { - http.get(opts, resolve).on("error", reject); - })) - .then(asPromise(function (resolve, reject, res) { - res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); - })) - .then(function (str) { - var body = JSON.parse(str); - assert.equal(body.host, "localhost:3600"); - assert.equal(body.authorization, "bearer my-token-1234"); + it("keeps the header when redirected to the same host", function () { + app.get("/a", redirectsTo(302, "/b")); + app.get("/b", function (req, res) { + res.end(JSON.stringify(req.headers)); }); - }); - it("keeps the header when redirected to the same host via header", function () { - app.get("/a", redirectsTo(302, "http://localhost:3600/b")); - app.get("/b", function (req, res) { - res.end(JSON.stringify(req.headers)); - }); + var opts = url.parse("http://localhost:3600/a"); + opts.headers = {}; + opts.headers[header] = "the header value"; - var opts = url.parse("http://127.0.0.1:3600/a"); - opts.headers = { - host: "localhost:3600", - authorization: "bearer my-token-1234", - }; + return server.start(app) + .then(asPromise(function (resolve, reject) { + http.get(opts, resolve).on("error", reject); + })) + .then(asPromise(function (resolve, reject, res) { + res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); + })) + .then(function (str) { + var body = JSON.parse(str); + assert.equal(body.host, "localhost:3600"); + assert.equal(body[header.toLowerCase()], "the header value"); + }); + }); - return server.start(app) - .then(asPromise(function (resolve, reject) { - http.get(opts, resolve).on("error", reject); - })) - .then(asPromise(function (resolve, reject, res) { - res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); - })) - .then(function (str) { - var body = JSON.parse(str); - assert.equal(body.host, "localhost:3600"); - assert.equal(body.authorization, "bearer my-token-1234"); + it("keeps the header when redirected to the same host via header", function () { + app.get("/a", redirectsTo(302, "http://localhost:3600/b")); + app.get("/b", function (req, res) { + res.end(JSON.stringify(req.headers)); }); - }); - it("keeps the header when redirected to the same host via header", function () { - app.get("/a", redirectsTo(302, "http://localhost:3600/b")); - app.get("/b", function (req, res) { - res.end(JSON.stringify(req.headers)); - }); + var opts = url.parse("http://127.0.0.1:3600/a"); + opts.headers = { host: "localhost:3600" }; + opts.headers[header] = "the header value"; - var opts = url.parse("http://127.0.0.1:3600/a"); - opts.headers = { - host: "localhost:3600", - authorization: "bearer my-token-1234", - }; + return server.start(app) + .then(asPromise(function (resolve, reject) { + http.get(opts, resolve).on("error", reject); + })) + .then(asPromise(function (resolve, reject, res) { + res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); + })) + .then(function (str) { + var body = JSON.parse(str); + assert.equal(body.host, "localhost:3600"); + assert.equal(body[header.toLowerCase()], "the header value"); + }); + }); - return server.start(app) - .then(asPromise(function (resolve, reject) { - http.get(opts, resolve).on("error", reject); - })) - .then(asPromise(function (resolve, reject, res) { - res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); - })) - .then(function (str) { - var body = JSON.parse(str); - assert.equal(body.host, "localhost:3600"); - assert.equal(body.authorization, "bearer my-token-1234"); + it("keeps the header when redirected to the same host via header", function () { + app.get("/a", redirectsTo(302, "http://localhost:3600/b")); + app.get("/b", function (req, res) { + res.end(JSON.stringify(req.headers)); }); - }); - it("keeps the header when redirected to a subdomain", function () { - app.get("/a", redirectsTo(302, "http://sub.localhost:3600/b")); - app.get("/b", function (req, res) { - res.end(JSON.stringify(req.headers)); - }); + var opts = url.parse("http://127.0.0.1:3600/a"); + opts.headers = { host: "localhost:3600" }; + opts.headers[header] = "the header value"; - var opts = url.parse("http://localhost:3600/a"); - opts.headers = { - authorization: "bearer my-token-1234", - }; - // Intercept the hostname, as no DNS entry is defined for it - opts.beforeRedirect = function (options) { - assert.equal(options.hostname, "sub.localhost"); - options.hostname = "localhost"; - }; + return server.start(app) + .then(asPromise(function (resolve, reject) { + http.get(opts, resolve).on("error", reject); + })) + .then(asPromise(function (resolve, reject, res) { + res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); + })) + .then(function (str) { + var body = JSON.parse(str); + assert.equal(body.host, "localhost:3600"); + assert.equal(body[header.toLowerCase()], "the header value"); + }); + }); - return server.start(app) - .then(asPromise(function (resolve, reject) { - http.get(opts, resolve).on("error", reject); - })) - .then(asPromise(function (resolve, reject, res) { - res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); - })) - .then(function (str) { - var body = JSON.parse(str); - assert.equal(body.host, "localhost:3600"); - assert.equal(body.authorization, "bearer my-token-1234"); + it("keeps the header when redirected to a subdomain", function () { + app.get("/a", redirectsTo(302, "http://sub.localhost:3600/b")); + app.get("/b", function (req, res) { + res.end(JSON.stringify(req.headers)); }); - }); - it("drops the header when redirected to a different host (same hostname and different port)", function () { - app.get("/a", redirectsTo(302, "http://localhost:3600/b")); - app.get("/b", function (req, res) { - res.end(JSON.stringify(req.headers)); - }); + var opts = url.parse("http://localhost:3600/a"); + opts.headers = {}; + opts.headers[header] = "the header value"; - var opts = url.parse("http://127.0.0.1:3600/a"); - opts.headers = { - host: "localhost", - authorization: "bearer my-token-1234", - }; + // Intercept the hostname, as no DNS entry is defined for it + opts.beforeRedirect = function (options) { + assert.equal(options.hostname, "sub.localhost"); + options.hostname = "localhost"; + }; - return server.start(app) - .then(asPromise(function (resolve, reject) { - http.get(opts, resolve).on("error", reject); - })) - .then(asPromise(function (resolve, reject, res) { - res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); - })) - .then(function (str) { - var body = JSON.parse(str); - assert.equal(body.host, "localhost:3600"); - assert.equal(body.authorization, undefined); + return server.start(app) + .then(asPromise(function (resolve, reject) { + http.get(opts, resolve).on("error", reject); + })) + .then(asPromise(function (resolve, reject, res) { + res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); + })) + .then(function (str) { + var body = JSON.parse(str); + assert.equal(body.host, "localhost:3600"); + assert.equal(body[header.toLowerCase()], "the header value"); + }); + }); + + it("drops the header when redirected to a different host (same hostname and different port)", function () { + app.get("/a", redirectsTo(302, "http://localhost:3600/b")); + app.get("/b", function (req, res) { + res.end(JSON.stringify(req.headers)); }); - }); - it("drops the header when redirected to a different host", function () { - app.get("/a", redirectsTo(302, "http://127.0.0.1:3600/b")); - app.get("/b", function (req, res) { - res.end(JSON.stringify(req.headers)); - }); + var opts = url.parse("http://127.0.0.1:3600/a"); + opts.headers = { host: "localhost" }; + opts.headers[header] = "the header value"; - var opts = url.parse("http://localhost:3600/a"); - opts.headers = { - authorization: "bearer my-token-1234", - }; + return server.start(app) + .then(asPromise(function (resolve, reject) { + http.get(opts, resolve).on("error", reject); + })) + .then(asPromise(function (resolve, reject, res) { + res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); + })) + .then(function (str) { + var body = JSON.parse(str); + assert.equal(body.host, "localhost:3600"); + assert.equal(body[header.toLowerCase()], undefined); + }); + }); - return server.start(app) - .then(asPromise(function (resolve, reject) { - http.get(opts, resolve).on("error", reject); - })) - .then(asPromise(function (resolve, reject, res) { - res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); - })) - .then(function (str) { - var body = JSON.parse(str); - assert.equal(body.host, "127.0.0.1:3600"); - assert.equal(body.authorization, undefined); + it("drops the header when redirected to a different host", function () { + app.get("/a", redirectsTo(302, "http://127.0.0.1:3600/b")); + app.get("/b", function (req, res) { + res.end(JSON.stringify(req.headers)); }); - }); - it("drops the header when redirected from a different host via header", function () { - app.get("/a", redirectsTo(302, "http://127.0.0.1:3600/b")); - app.get("/b", function (req, res) { - res.end(JSON.stringify(req.headers)); - }); + var opts = url.parse("http://localhost:3600/a"); + opts.headers = {}; + opts.headers[header] = "the header value"; - var opts = url.parse("http://127.0.0.1:3600/a"); - opts.headers = { - host: "localhost", - authorization: "bearer my-token-1234", - }; + return server.start(app) + .then(asPromise(function (resolve, reject) { + http.get(opts, resolve).on("error", reject); + })) + .then(asPromise(function (resolve, reject, res) { + res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); + })) + .then(function (str) { + var body = JSON.parse(str); + assert.equal(body.host, "127.0.0.1:3600"); + assert.equal(body[header.toLowerCase()], undefined); + }); + }); - return server.start(app) - .then(asPromise(function (resolve, reject) { - http.get(opts, resolve).on("error", reject); - })) - .then(asPromise(function (resolve, reject, res) { - res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); - })) - .then(function (str) { - var body = JSON.parse(str); - assert.equal(body.host, "127.0.0.1:3600"); - assert.equal(body.authorization, undefined); + it("drops the header when redirected from a different host via header", function () { + app.get("/a", redirectsTo(302, "http://127.0.0.1:3600/b")); + app.get("/b", function (req, res) { + res.end(JSON.stringify(req.headers)); }); + + var opts = url.parse("http://127.0.0.1:3600/a"); + opts.headers = { host: "localhost" }; + opts.headers[header] = "the header value"; + + return server.start(app) + .then(asPromise(function (resolve, reject) { + http.get(opts, resolve).on("error", reject); + })) + .then(asPromise(function (resolve, reject, res) { + res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); + })) + .then(function (str) { + var body = JSON.parse(str); + assert.equal(body.host, "127.0.0.1:3600"); + assert.equal(body[header.toLowerCase()], undefined); + }); + }); }); });