fix: clear cookie headers too on redirect

jd1378 · Jul 20, 2024 · e2d40f5 · e2d40f5
1 parent 5feaa82
commit e2d40f5
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 8 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -10,7 +10,5 @@
   "deno.unstable": true,
   "deno.lint": true,
   "debug.javascript.unmapMissingSources": true,
-  "deno.import_intellisense_origins": {
-    "https://deno.land": true
-  }
+  "deno.codeLens.test": true,
 }
diff --git a/deno.lock b/deno.lock
diff --git a/fetch_wrapper.ts b/fetch_wrapper.ts
@@ -69,7 +69,7 @@ export function wrapFetch(options?: WrapFetchOptions): typeof fetch {
     if (cookieString.length) {
       reqHeaders.set("cookie", cookieString);
     }
-    
+
     reqHeaders.delete("cookie2"); // Remove cookie2 if it exists, It's deprecated
 
     interceptedInit.headers = reqHeaders;
@@ -129,7 +129,10 @@ export function wrapFetch(options?: WrapFetchOptions): typeof fetch {
 
     // Do not forward sensitive headers to third-party domains.
     if (!isDomainOrSubdomain(originalRequestUrl, redirectUrl)) {
-      for (const name of ["authorization", "www-authenticate"]) { // cookie headers are handled differently
+      // cookie headers are handled differently
+      for (
+        const name of ["authorization", "www-authenticate", "cookie", "cookie2"]
+      ) {
         filteredHeaders.delete(name);
       }
     }

diff --git a/fetch_wrapper_test.ts b/fetch_wrapper_test.ts
@@ -545,7 +545,7 @@ Deno.test("doesn't send sensitive headers after redirect to different domains",
       "request had `authorization` in headers",
     );
     assertFalse(
-      resHeaders.get("cookie"),
+      resHeaders.has("cookie"),
       "`cookie` header is not empty",
     );
     assertFalse(
@@ -606,8 +606,6 @@ Deno.test("handles path redirections", async () => {
       { method: "GET" },
     ).then((r) => r.text());
 
-    console.log(res);
-
     assertEquals(
       res,
       "foo",