Skip to content

Commit 0c99bc5

Browse files
committed
Fix notion of cross-origin to include scheme changes
1 parent 2a5c6f4 commit 0c99bc5

File tree

2 files changed

+10
-4
lines changed

2 files changed

+10
-4
lines changed

Diff for: index.js

+5-4
Original file line numberDiff line numberDiff line change
@@ -541,11 +541,12 @@ const mergeUrls = (base, input) => (
541541
base
542542
);
543543

544-
// sameHost :: (Url, Url) -> Boolean
545-
const sameHost = (parent, child) => {
544+
// sameOrigin :: (Url, Url) -> Boolean
545+
const sameOrigin = (parent, child) => {
546546
const p = new URL (parent);
547547
const c = new URL (child);
548-
return p.host === c.host || c.host.endsWith ('.' + p.host);
548+
return (p.protocol === c.protocol || c.protocol === 'https:') &&
549+
(p.host === c.host || c.host.endsWith ('.' + p.host));
549550
};
550551

551552
// overHeaders :: (Request, Array2 String String -> Array2 String String)
@@ -583,7 +584,7 @@ export const redirectAnyRequest = response => {
583584
(newUrl)
584585
(Request.body (original));
585586

586-
return sameHost (oldUrl, newUrl) ? request : overHeaders (request, xs => (
587+
return sameOrigin (oldUrl, newUrl) ? request : overHeaders (request, xs => (
587588
xs.filter (([name]) => !confidentialHeaders.includes (name.toLowerCase ()))
588589
));
589590
};

Diff for: test/index.js

+5
Original file line numberDiff line numberDiff line change
@@ -284,6 +284,11 @@ test ('redirectAnyRequest', () => Promise.all ([
284284
headers: {location: 'https://elsewhere.com/'},
285285
request: fn.Request ({headers: {cookie: 'yum'}}) ('https://example.com') (fn.emptyStream)})))
286286
(fn.Request ({headers: {}}) ('https://elsewhere.com/') (fn.emptyStream)),
287+
assertResolves (fl.map (fn.redirectAnyRequest)
288+
(mockResponse ({code: 301,
289+
headers: {location: 'http://example.com/'},
290+
request: fn.Request ({headers: {cookie: 'yum'}}) ('https://example.com') (fn.emptyStream)})))
291+
(fn.Request ({headers: {}}) ('http://example.com/') (fn.emptyStream)),
287292
]));
288293

289294
test ('redirectIfGetMethod', () => Promise.all ([

0 commit comments

Comments
 (0)