File tree 1 file changed +8
-0
lines changed 1 file changed +8
-0
lines changed Original file line number Diff line number Diff line change @@ -44,13 +44,21 @@ function simpleGet (opts, cb) {
4444 if ( opts . json ) opts . headers . accept = 'application/json'
4545 if ( opts . method ) opts . method = opts . method . toUpperCase ( )
4646
47+ const originalHost = opts . hostname // hostname before potential redirect
4748 const protocol = opts . protocol === 'https:' ? https : http // Support http/https urls
4849 const req = protocol . request ( opts , res => {
4950 if ( opts . followRedirects !== false && res . statusCode >= 300 && res . statusCode < 400 && res . headers . location ) {
5051 opts . url = res . headers . location // Follow 3xx redirects
5152 delete opts . headers . host // Discard `host` header on redirect (see #32)
5253 res . resume ( ) // Discard response
5354
55+ const redirectHost = url . parse ( opts . url ) . hostname // eslint-disable-line node/no-deprecated-api
56+ // If redirected host is different than original host, drop headers to prevent cookie leak (#73)
57+ if ( redirectHost !== null && redirectHost !== originalHost ) {
58+ delete opts . headers . cookie
59+ delete opts . headers . authorization
60+ }
61+
5462 if ( opts . method === 'POST' && [ 301 , 302 ] . includes ( res . statusCode ) ) {
5563 opts . method = 'GET' // On 301/302 redirect, change POST to GET (see #35)
5664 delete opts . headers [ 'content-length' ] ; delete opts . headers [ 'content-type' ]
You can’t perform that action at this time.
0 commit comments