From eaa1d3b9a929476ea8e93710df95441cec3043fa Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Mon, 21 Nov 2022 17:27:44 +0100 Subject: [PATCH] Remove Authorization header upon cross-origin redirect Tests: ... Fixes #944. --- fetch.bs | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/fetch.bs b/fetch.bs index faefce048..0e555d17c 100644 --- a/fetch.bs +++ b/fetch.bs @@ -4934,11 +4934,10 @@ run these steps:
  • If locationURL's scheme is not an HTTP(S) scheme, then return a network error. -

  • If request's redirect count is - twenty, return a network error. +

  • If request's redirect count is 20, then return a + network error. -

  • Increase request's - redirect count by one. +

  • Increase request's redirect count by 1.

  • If request's mode is "cors", locationURL includes credentials, and request's @@ -4976,6 +4975,16 @@ run these steps: header list. +

  • +

    If request's current URL's origin is not + same origin with locationURL's origin, then + for each headerName of CORS non-wildcard request-header name, + delete headerName from request's + header list. + +

    I.e., the moment another origin is seen after the initial request, the + `Authorization` header is removed. +

  • If request's body is non-null, then set request's body to the body of the result of