Skip to content

Strip credential headers when a redirect changes scheme on the same host#447

Merged
tomas merged 1 commit into
tomas:masterfrom
greymoth-jp:fix/redirect-scheme-strip-credentials
Jul 1, 2026
Merged

Strip credential headers when a redirect changes scheme on the same host#447
tomas merged 1 commit into
tomas:masterfrom
greymoth-jp:fix/redirect-scheme-strip-credentials

Conversation

@greymoth-jp

Copy link
Copy Markdown
Contributor

When following a redirect, needle removes authorization, cookie and proxy-authorization if the new location is on a different host or port (the else branch in lib/needle.js). The same-host check, utils.host_and_ports_match, only compares host and port and ignores the scheme. A redirect that keeps the host and port but downgrades the scheme, for example https://example.com:8443 to http://example.com:8443, therefore keeps authorization and proxy-authorization and sends them over the plaintext connection.

The origin is the scheme, host and port together, so a scheme change is still cross-origin. This adds a small protocols_match helper, and when the host and port match but the scheme differs it drops the two auth headers before the request is re-sent. The cookie is left to the existing follow_set_cookies logic, which already removes it by default.

For reference, node-fetch strips on !isSameProtocol(...), and undici and @hapi/wreck (hapijs/wreck#313) compare the full origin, so this lines needle up with how the other clients treat the scheme on redirect.

The added test in test/redirect_spec.js does an https to http redirect on the same host and port and checks the credential headers are gone. It fails on master and passes with this change.

@tomas

tomas commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Nice PR! Thanks

@tomas tomas merged commit b167525 into tomas:master Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants