HTTPS traffic over a proxy is sent unencrypted

[ristowee]

Hi, There's a problem when trying to transfer https traffic over an http proxy. The current implementation does not send the CONNECT message to the proxy that would establish a tunnel for the end-to-end https connection. Instead the data is initiated with a GET message and the rest of the data is sent unencrypted between the client and the proxy.

There's already a pull request that would fix this issue by using an agent, which would take care of the proxy connection (https://github.com/EventSource/eventsource/pull/143). I decided to create an issue in case the pull request was accidentally overlooked.

Of course, if the server used http then the agent should be HttpProxyAgent instead. Alternatively, the old proxy functionality could be kept for the http server but the documentation should point out that the that it shouldn't be used for the https traffic.

diff --git a/lib/eventsource.js b/lib/eventsource.js
index 69c5525..76e9621 100644
--- a/lib/eventsource.js
+++ b/lib/eventsource.js
@@ -112,7 +112,10 @@ function EventSource (url, eventSourceInitDict) {
     // If specify http proxy, make the request to sent to the proxy server,
     // and include the original url in path and Host headers
     var useProxy = eventSourceInitDict && eventSourceInitDict.proxy
-    if (useProxy) {
+    var agent = eventSourceInitDict && eventSourceInitDict.agent
+    if (agent) {
+      options.agent = agent
+    } else if (useProxy) {
       var proxy = parse(eventSourceInitDict.proxy)
       isSecure = proxy.protocol === 'https:'