LibWeb/Fetch: Remove Authorization header upon cross-origin redirect

This is a change in the Fetch spec. See: https://github.com/whatwg/fetch/commit/9004f4e
author: Linus Groh <mail@linusgroh.de> 2022-12-07 18:48:40 +0000
committer: Linus Groh <mail@linusgroh.de> 2022-12-08 15:37:19 +0000
commit: 3414a6ba20400b9b645f6039ecbd71359dfca2c0 (patch)
tree: 3ed5dfb47bd3d27a0c12b57eed264d18dda9071e
parent: 2f1bda33479b8b62065ee8d14c0ee605b87fd6a2 (diff)
download: serenity-3414a6ba20400b9b645f6039ecbd71359dfca2c0.zip
1 files changed, 20 insertions, 9 deletions
diff --git a/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp b/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
index 8495de8dc6..f9d9aa334b 100644
--- a/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
+++ b/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
@@ -961,11 +961,11 @@ WebIDL::ExceptionOr<JS::NonnullGCPtr<PendingResponse>> http_redirect_fetch(JS::R
     if (!Infrastructure::is_http_or_https_scheme(location_url.scheme()))
         return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request redirect URL must have HTTP or HTTPS scheme"sv));
 
-    // 7. If request’s redirect count is twenty, return a network error.
+    // 7. If request’s redirect count is 20, then return a network error.
     if (request->redirect_count() == 20)
         return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request has reached maximum redirect count of 20"sv));
 
-    // 8. Increase request’s redirect count by one.
+    // 8. Increase request’s redirect count by 1.
     request->set_redirect_count(request->redirect_count() + 1);
 
     // 8. If request’s mode is "cors", locationURL includes credentials, and request’s origin is not same origin with
@@ -1013,7 +1013,18 @@ WebIDL::ExceptionOr<JS::NonnullGCPtr<PendingResponse>> http_redirect_fetch(JS::R
             request->header_list()->delete_(header_name.bytes());
     }
 
-    // 13. If request’s body is non-null, then set request’s body to the body of the result of safely extracting
+    // 13. If request’s current URL’s origin is not same origin with locationURL’s origin, then for each headerName of
+    //     CORS non-wildcard request-header name, delete headerName from request’s header list.
+    // NOTE: I.e., the moment another origin is seen after the initial request, the `Authorization` header is removed.
+    if (!URL::url_origin(request->current_url()).is_same_origin(URL::url_origin(location_url))) {
+        static constexpr Array cors_non_wildcard_request_header_names {
+            "Authorization"sv
+        };
+        for (auto header_name : cors_non_wildcard_request_header_names)
+            request->header_list()->delete_(header_name.bytes());
+    }
+
+    // 14. If request’s body is non-null, then set request’s body to the body of the result of safely extracting
     //     request’s body’s source.
     // NOTE: request’s body’s source’s nullity has already been checked.
     if (!request->body().has<Empty>()) {
@@ -1026,26 +1037,26 @@ WebIDL::ExceptionOr<JS::NonnullGCPtr<PendingResponse>> http_redirect_fetch(JS::R
         request->set_body(move(body));
     }
 
-    // 14. Let timingInfo be fetchParams’s timing info.
+    // 15. Let timingInfo be fetchParams’s timing info.
     auto timing_info = fetch_params.timing_info();
 
-    // 15. Set timingInfo’s redirect end time and post-redirect start time to the coarsened shared current time given
+    // 16. Set timingInfo’s redirect end time and post-redirect start time to the coarsened shared current time given
     //     fetchParams’s cross-origin isolated capability.
     auto now = HighResolutionTime::coarsened_shared_current_time(fetch_params.cross_origin_isolated_capability() == HTML::CanUseCrossOriginIsolatedAPIs::Yes);
     timing_info->set_redirect_end_time(now);
     timing_info->set_post_redirect_start_time(now);
 
-    // 16. If timingInfo’s redirect start time is 0, then set timingInfo’s redirect start time to timingInfo’s start
+    // 17. If timingInfo’s redirect start time is 0, then set timingInfo’s redirect start time to timingInfo’s start
     //     time.
     if (timing_info->redirect_start_time() == 0)
         timing_info->set_redirect_start_time(timing_info->start_time());
 
-    // 17. Append locationURL to request’s URL list.
+    // 18. Append locationURL to request’s URL list.
     request->url_list().append(location_url);
 
-    // FIXME: 18. Invoke set request’s referrer policy on redirect on request and actualResponse.
+    // FIXME: 19. Invoke set request’s referrer policy on redirect on request and actualResponse.
 
-    // 19. Return the result of running main fetch given fetchParams and true.
+    // 20. Return the result of running main fetch given fetchParams and true.
     return TRY(main_fetch(realm, fetch_params, Recursive::Yes)).release_value();
 }
author	Linus Groh <mail@linusgroh.de>	2022-12-07 18:48:40 +0000
committer	Linus Groh <mail@linusgroh.de>	2022-12-08 15:37:19 +0000
commit	3414a6ba20400b9b645f6039ecbd71359dfca2c0 (patch)
tree	3ed5dfb47bd3d27a0c12b57eed264d18dda9071e
parent	2f1bda33479b8b62065ee8d14c0ee605b87fd6a2 (diff)
download	serenity-3414a6ba20400b9b645f6039ecbd71359dfca2c0.zip