@@ -135,7 +135,7 @@ import {envIsSupported} from '../testing/utils';
135135 name : 'other' ,
136136 installMode : 'lazy' ,
137137 updateMode : 'lazy' ,
138- urls : [ '/baz.txt' , '/qux.txt' , '/lazy/redirected.txt' ] ,
138+ urls : [ '/baz.txt' , '/qux.txt' , '/lazy/redirected.txt' , '/lazy/cross-origin-redirected.txt' ] ,
139139 patterns : [ ] ,
140140 cacheQueryOptions : { ignoreVary : true } ,
141141 } ,
@@ -220,6 +220,11 @@ import {envIsSupported} from '../testing/utils';
220220 . withStaticFiles ( dist )
221221 . withRedirect ( '/redirected.txt' , '/redirect-target.txt' )
222222 . withRedirect ( '/lazy/redirected.txt' , '/lazy/redirect-target.txt' )
223+ . withRedirect (
224+ '/lazy/cross-origin-redirected.txt' ,
225+ 'https://example.com/lazy/redirect-target.txt' ,
226+ )
227+ . withRedirect ( 'https://example.com/lazy/redirect-target.txt' , '/lazy/redirect-target.txt' )
223228 . withError ( '/error.txt' ) ;
224229
225230 const server = serverBuilderBase . withManifest ( manifest ) . build ( ) ;
@@ -1681,14 +1686,40 @@ import {envIsSupported} from '../testing/utils';
16811686 // Request a redirected, lazy-cached asset (so that it is fetched from the network) and
16821687 // provide headers.
16831688 const reqInit = {
1684- headers : { SomeHeader : 'SomeValue' } ,
1689+ headers : {
1690+ Authorization : 'Bearer secret' ,
1691+ SomeHeader : 'SomeValue' ,
1692+ } ,
16851693 } ;
16861694 expect ( await makeRequest ( scope , '/lazy/redirected.txt' , undefined , reqInit ) ) . toBe (
16871695 'this was a redirect too' ,
16881696 ) ;
16891697
16901698 // Verify that the headers were passed through to the network.
16911699 const [ redirectReq ] = server . getRequestsFor ( '/lazy/redirect-target.txt' ) ;
1700+ expect ( redirectReq . headers . get ( 'Authorization' ) ) . toBe ( 'Bearer secret' ) ;
1701+ expect ( redirectReq . headers . get ( 'SomeHeader' ) ) . toBe ( 'SomeValue' ) ;
1702+ } ) ;
1703+
1704+ it ( 'does not pass sensitive headers through to a different origin' , async ( ) => {
1705+ const reqInit = {
1706+ headers : {
1707+ Authorization : 'Bearer secret' ,
1708+ Cookie : 'session=secret' ,
1709+ 'Proxy-Authorization' : 'Basic secret' ,
1710+ SomeHeader : 'SomeValue' ,
1711+ } ,
1712+ } ;
1713+ expect (
1714+ await makeRequest ( scope , '/lazy/cross-origin-redirected.txt' , undefined , reqInit ) ,
1715+ ) . toBe ( 'this was a redirect too' ) ;
1716+
1717+ const [ redirectReq ] = server . getRequestsFor (
1718+ 'https://example.com/lazy/redirect-target.txt' ,
1719+ ) ;
1720+ expect ( redirectReq . headers . get ( 'Authorization' ) ) . toBeNull ( ) ;
1721+ expect ( redirectReq . headers . get ( 'Cookie' ) ) . toBeNull ( ) ;
1722+ expect ( redirectReq . headers . get ( 'Proxy-Authorization' ) ) . toBeNull ( ) ;
16921723 expect ( redirectReq . headers . get ( 'SomeHeader' ) ) . toBe ( 'SomeValue' ) ;
16931724 } ) ;
16941725
0 commit comments