Skip to content

Commit

Permalink
Drop Cookie header across domains.
Browse files Browse the repository at this point in the history
Fixes #183
  • Loading branch information
RubenVerborgh committed Jan 10, 2022
1 parent 6f5029a commit 8b347cb
Show file tree
Hide file tree
Showing 2 changed files with 175 additions and 182 deletions.
4 changes: 2 additions & 2 deletions index.js
Original file line number Diff line number Diff line change
Expand Up @@ -392,9 +392,9 @@ RedirectableRequest.prototype._processResponse = function (response) {
var redirectUrlParts = url.parse(redirectUrl);
Object.assign(this._options, redirectUrlParts);

// Drop the Authorization header if redirecting to another domain
// Drop the confidential headers when redirecting to another domain
if (!(redirectUrlParts.host === currentHost || isSubdomainOf(redirectUrlParts.host, currentHost))) {
removeMatchingHeaders(/^authorization$/i, this._options.headers);
removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
}

// Evaluate the beforeRedirect callback
Expand Down
Loading

0 comments on commit 8b347cb

Please sign in to comment.