Strip sensitive headers on cross-origin redirects.

aaugustin · aaugustin · commit e48fe3cdc7e8 · 2026-04-17T23:18:35.000+02:00
Given the lack of established best practicesfor handling redirects
on WebSocket connections, we mimic best practices for HTTP libraries,
even though vulnerabilities affecting HTTP don't always translate to
WebSocket, notably because it's unlikely that an attacker would be
able to control the URI to which a Python WebSocket client connects,
without controlling the client entirely.

Thank Nadav Magier for reporting this security hardening opportunity.
diff --git a/docs/project/changelog.rst b/docs/project/changelog.rst
@@ -35,6 +35,9 @@ notice.
 Improvements
 ............
 
+* Stripped ``Authorization``, ``Cookie``, and ``Proxy-Authorization`` headers
+  when clients follow cross-origin redirects, a security hardening measure.
+
 * Added wheels for ARMv7, PowerPC, RISC-V, and S/390.
 
 .. _16.0:
diff --git a/src/websockets/asyncio/client.py b/src/websockets/asyncio/client.py
@@ -12,7 +12,7 @@
 from typing import Any, Callable, Literal, cast
 
 from ..client import ClientProtocol, backoff
-from ..datastructures import HeadersLike
+from ..datastructures import Headers, HeadersLike
 from ..exceptions import (
     InvalidMessage,
     InvalidProxyMessage,
@@ -529,6 +529,17 @@ def process_redirect(self, exc: Exception) -> Exception | str:
                     f"with an explicit host or port"
                 )
 
+            # Strip credentials to avoid leaking them to a different origin.
+            if self.additional_headers is not None:
+                self.additional_headers = Headers(
+                    (
+                        (key, value)
+                        for key, value in Headers(self.additional_headers).raw_items()
+                        if key.lower()
+                        not in ["authorization", "cookie", "proxy-authorization"]
+                    )
+                )
+
         return new_uri
 
     # ... = await connect(...)
diff --git a/src/websockets/legacy/client.py b/src/websockets/legacy/client.py
@@ -569,6 +569,17 @@ def handle_redirect(self, uri: str) -> None:
             if not old_wsuri.secure and new_wsuri.secure:
                 factory.keywords["secure"] = True
                 self._create_connection.keywords.setdefault("ssl", True)
+            # Strip credentials to avoid leaking them to a different origin.
+            extra_headers = factory.keywords.get("extra_headers")
+            if extra_headers is not None:  # pragma: no cover
+                factory.keywords["extra_headers"] = Headers(
+                    (
+                        (key, value)
+                        for key, value in Headers(extra_headers).raw_items()
+                        if key.lower()
+                        not in ["authorization", "cookie", "proxy-authorization"]
+                    )
+                )
             # Replace secure, host, and port arguments of the protocol factory.
             factory = functools.partial(
                 factory.func,
diff --git a/tests/asyncio/test_client.py b/tests/asyncio/test_client.py
@@ -350,6 +350,53 @@ def redirect(connection, request):
             "cannot follow redirect to ws://invalid/ with a preexisting socket",
         )
 
+    async def test_cross_origin_redirect_strips_credentials(self):
+        """Client strips credentials when following a cross-origin redirect."""
+
+        def redirect(connection, request):
+            response = connection.respond(http.HTTPStatus.FOUND, "")
+            response.headers["Location"] = get_uri(other_server)
+            return response
+
+        async with serve(*args, process_request=redirect) as server:
+            async with serve(*args) as other_server:
+                async with connect(
+                    get_uri(server),
+                    additional_headers={
+                        "Authorization": "Bearer secret",
+                        "Cookie": "session=secret",
+                        "Proxy-Authorization": "Basic secret",
+                        "X-Custom": "keep",
+                    },
+                ) as client:
+                    self.assertNotIn("Authorization", client.request.headers)
+                    self.assertNotIn("Cookie", client.request.headers)
+                    self.assertNotIn("Proxy-Authorization", client.request.headers)
+                    self.assertIn("X-Custom", client.request.headers)
+
+    async def test_same_origin_redirect_preserves_credentials(self):
+        """Client preserves credentials when following a same-origin redirect."""
+
+        def redirect(connection, request):
+            if request.path == "/redirect":
+                response = connection.respond(http.HTTPStatus.FOUND, "")
+                response.headers["Location"] = "/"
+                return response
+
+        async with serve(*args, process_request=redirect) as server:
+            async with connect(
+                get_uri(server) + "/redirect",
+                additional_headers={
+                    "Authorization": "Bearer secret",
+                    "Cookie": "session=secret",
+                    "Proxy-Authorization": "Basic secret",
+                    "X-Custom": "keep",
+                },
+            ) as client:
+                self.assertIn("Authorization", client.request.headers)
+                self.assertIn("Cookie", client.request.headers)
+                self.assertIn("Proxy-Authorization", client.request.headers)
+
     async def test_invalid_uri(self):
         """Client receives an invalid URI."""
         with self.assertRaises(InvalidURI):
