-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(Headers): don't forward secure headers on protocol change #1599
fix(Headers): don't forward secure headers on protocol change #1599
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
great PR 👍🏼
🎉 This PR is included in version 3.2.9 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Sorry if this is the wrong place to ask, but since this PR is a fix for a security issue, will (or should) it be backported to the 2.x branch as it was done for #1449? Is this done automatically or should I (or someone else interested in the fix) open another PR targeting the 2.x branch for that? |
backport for node-fetch#1599 to the 2.x branch
if you @victal could create a PR to the |
Just created #1605 for it, thanks! |
backport for #1599 to the 2.x branch Co-authored-by: Guilherme Victal <[email protected]>
Purpose
Resolves https://www.huntr.dev/bounties/db31e05b-ff10-4057-81a3-37445bf161cd/ by validating that the URL protocol remains the same when determining whether to send secure headers on a redirect.
This prevents MITM attacks from sniffing secure headers when a redirect downgrades a
https://
to ahttp://
Changes
Adds an additional check to the redirect
follow
step to determine whether to send secure headers or not.Additional information