-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When redirecting to a different host, strip Authorization header #274
Comments
The reason why the Fetch Standard doesn't enforce it is because it doesn't allow fetching a URL with credentials in the first place. See
I think we should make this change. |
@bitinn @TimothyGu For this issue, should we stick as close as possible to the spec and deny credentials or just strip the Authorisation header? |
@Richienb I am slightly confused reading Timothy's comment, because mine was about stripping the Authorization header during redirect, he's saying credentials in the URL are denied (which is correct, MDN says Chrome denies it for all cases). I am pretty sure in the Auth header scenario, Fetch is controlled by So either we now support it, or we just dropped the credentials on redirect using either (supporting |
@bitinn I'll add this to the roadmap. |
close via #1449 |
This is a tricky one, on the surface, security first, why would you want to do that?
But:
Request that do implement such a thing:
So does curl (but only when using a http proxy?)
Either way, I am not rushing to fix this, but a heads-up if anyone is using
node-fetch
for authorisation.The text was updated successfully, but these errors were encountered: