search

sindresorhus / got

🌐 Human-friendly and powerful HTTP request library for Node.js
MIT License
14.27k stars 935 forks source link

Cross-origin redirect with basic auth is incorrect #1652

Closed stevenvachon closed 3 years ago

stevenvachon commented 3 years ago

Describe the bug

Basic authentication headers persist across redirects to different origins.

Expected behavior

Basic authentication should not be transitive across redirects to a different origin.

Code to reproduce

got.stream(url, {
  auth: 'user:pass',
  method: 'get'
})
  .on('redirect', ({ headers }) => console.log(headers))

Checklist

szmarczak commented 3 years ago

There is no auth option in the docs.

szmarczak commented 3 years ago

Please upgrade to 11.8.2 :)

stevenvachon commented 3 years ago

It night be reproducible with v11.x and its username/password properties, but I can't yet upgrade due to some mysterious issues.

This is an HTTP conformance issue, so a core contributor would know if it's been addressed or not.

szmarczak commented 3 years ago

Looks like a duplicate of #1090

szmarczak commented 3 years ago

mysterious issues

WDYM?

stevenvachon commented 3 years ago

Looks like a duplicate of #1090

Ah, so it's specifically fixed in v11? That would be most excellent!

mysterious issues

WDYM?

https://github.com/Woorank/robots-txt-parse/issues/7 -- it's closed, but only because that lib doesn't seem to be to blame.

szmarczak commented 3 years ago

https://github.com/sindresorhus/got/issues/223#issuecomment-405076226