Clear auth on redirect

Fixes #1309
ladjs · Nov 8, 2017 · 087edaf · paul-cipherlex · Nov 8, 2017 · 087edaf
1 parent 4108c34
commit 087edaf
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/lib/node/index.js b/lib/node/index.js
@@ -417,13 +417,13 @@ Request.prototype._redirect = function(res){
 
   let headers = this.req._headers;
 
-  const shouldStripCookie = parse(url).host !== parse(this.url).host;
+  const changesOrigin = parse(url).host !== parse(this.url).host;
 
   // implementation of 302 following defacto standard
   if (res.statusCode == 301 || res.statusCode == 302){
     // strip Content-* related fields
     // in case of POST etc
-    headers = utils.cleanHeader(this.req._headers, shouldStripCookie);
+    headers = utils.cleanHeader(this.req._headers, changesOrigin);
 
     // force GET
     this.method = 'HEAD' == this.method
@@ -437,7 +437,7 @@ Request.prototype._redirect = function(res){
   if (res.statusCode == 303) {
     // strip Content-* related fields
     // in case of POST etc
-    headers = utils.cleanHeader(this.req._headers, shouldStripCookie);
+    headers = utils.cleanHeader(this.req._headers, changesOrigin);
 
     // force method
     this.method = 'GET';

diff --git a/lib/utils.js b/lib/utils.js
@@ -57,12 +57,14 @@ exports.parseLinks = function(str){
  * @api private
  */
 
-exports.cleanHeader = function(header, shouldStripCookie){
+exports.cleanHeader = function(header, changesOrigin){
   delete header['content-type'];
   delete header['content-length'];
   delete header['transfer-encoding'];
   delete header['host'];
-  if (shouldStripCookie) {
+  // secuirty
+  if (changesOrigin) {
+    delete header['authorization'];
     delete header['cookie'];
   }
   return header;