File tree 1 file changed +8
-0
lines changed
1 file changed +8
-0
lines changed Original file line number Diff line number Diff line change @@ -52,13 +52,21 @@ function simpleGet (opts, cb) {
5252 if ( opts . json ) opts . headers . accept = 'application/json'
5353 if ( ! opts . headers [ 'accept-encoding' ] ) opts . headers [ 'accept-encoding' ] = 'gzip, deflate' // Prefer gzip
5454
55+ var originalHost = opts . hostname // hostname before potential redirect
5556 var protocol = opts . protocol === 'https:' ? https : http // Support http/https urls
5657 var req = protocol . request ( opts , function ( res ) {
5758 if ( res . statusCode >= 300 && res . statusCode < 400 && 'location' in res . headers ) {
5859 opts . url = res . headers . location // Follow 3xx redirects
5960 delete opts . headers . host // Discard `host` header on redirect (see #32)
6061 res . resume ( ) // Discard response
6162
63+ var redirectHost = url . parse ( opts . url ) . hostname // eslint-disable-line node/no-deprecated-api
64+ // If redirected host is different than original host, drop headers to prevent cookie leak (#73)
65+ if ( redirectHost !== null && redirectHost !== originalHost ) {
66+ delete opts . headers . cookie
67+ delete opts . headers . authorization
68+ }
69+
6270 if ( ( res . statusCode === 301 || res . statusCode === 302 ) && opts . method === 'POST' ) {
6371 opts . method = 'GET' // On 301/302 redirect, change POST to GET (see #35)
6472 delete opts . headers [ 'content-length' ]
You can’t perform that action at this time.
0 commit comments