Clear Cookie header when redirect to cross-site

[kyoshidajp]

After version 7.58.0, Authorization header isn't forward to cross-site when redirect.

Cookie header with confidential data should also be supported.

[bagder]

I don't think this makes a lot of sense. Cookies already have a domain match logic to make them only get sent to the relevant hosts and are very frequently used across different names. Can you expand on exactly which use case or problem this would work for?

[kyoshidajp]

Thanks.

The case is Cookie header is specified directly instead of -b/cookie option with cookie file. For example, http://example.jp is original target URL, and http://example.com is redirected URL (may be under attack like domain hijacking).

When I try to run the following command, Cookie header was forward to http://example.com.

curl -H "Cookie: xxx" --verbose -L http://example.jp/

There is no problem when -b option is used like:

curl -b cookie.txt --verbose -L http://example.jp/

[bagder]

Ah right. I suppose this is sensible. The only little detail I miss here is a mention about this in the CURLOPT_HTTPHEADER.3 man page in the similar style the Authorization: restriction is!

[kyoshidajp]

@bagder So, should I add the following sentence under https://github.com/curl/curl/blob/master/docs/libcurl/opts/CURLOPT_HTTPHEADER.3#L87-L89 ?

Starting in 7.64.0, libcurl will specifically prevent "Cookie:" headers
from being sent to other hosts than the first used one, unless specifically
permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option.

[bagder]

should I add the following sentence

Yes please!

[danielgustafsson]

LGTM

[danielgustafsson]

Should we have "cookies" here?

[kyoshidajp]

Thanks. I did.

[bagder]

Thanks!