33 lines
1.1 KiB
Diff
33 lines
1.1 KiB
Diff
From 4329a7e88c72079ae3eedbb1558b929851507464 Mon Sep 17 00:00:00 2001
|
|
From: Patrick Griffis <pgriffis@igalia.com>
|
|
Date: Wed, 5 Feb 2025 16:18:10 -0600
|
|
Subject: [PATCH] session: Strip authentication credentails on cross-origin
|
|
redirect
|
|
|
|
This should match the behavior of Firefox and Safari but not of Chromium.
|
|
---
|
|
libsoup/soup-session.c | 6 ++++
|
|
tests/auth-test.c | 77 ++++++++++++++++++++++++++++++++++++++++++
|
|
2 files changed, 83 insertions(+)
|
|
|
|
diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
|
|
index dd3cdc46..82ca8bf9 100644
|
|
--- a/libsoup/soup-session.c
|
|
+++ b/libsoup/soup-session.c
|
|
@@ -1187,6 +1187,12 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg)
|
|
SOUP_ENCODING_NONE);
|
|
}
|
|
|
|
+ /* Strip all credentials on cross-origin redirect. */
|
|
+ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
|
|
+ soup_message_headers_remove (msg->request_headers, "Authorization");
|
|
+ soup_message_set_auth (msg, NULL);
|
|
+ }
|
|
+
|
|
soup_message_set_uri (msg, new_uri);
|
|
soup_uri_free (new_uri);
|
|
|
|
--
|
|
2.49.0
|
|
|