Undici's cookie header not cleared on cross-origin redirect in fetch #359
Labels
No labels
blocked
duplicate
enhancement
good first issue
help wanted
invalid
needs criteria
needs estimate
question
type
admin
type
bug
type
defect
type
dependencies
type
documentation
type
epic
type
incident
type
investigation
type
spike
type
story
type
subtask
wontfix
blocked
duplicate
needs criteria
needs estimate
question
type
admin
type
alert
type
bug
type
defect
type
dependencies
type
design
type
documentation
type
epic
type
incident
type
investigation
type
spike
type
story
won't fix
No milestone
No project
No assignees
1 participant
Notifications
Total time spent: 3 minutes 14 seconds
Due date
Vylpes
3 minutes 14 seconds
No due date set.
Dependencies
No dependencies set.
Reference: RabbitLabs/vylbot-app#359
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Package: undici (npm)
Affected versions: < 5.26.2
Patched version: 5.26.2
Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.
As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.