eventsource
eventsource copied to clipboard
Feature: fix a number of redirect handling issues
When requesting an eventsource endpoint and defining custom, sensitive headers, such as Authorization
and Cookie
, these headers should not be forwarded when redirecting to a different origin than the original.
While looking in to fixing this, I discovered that the current redirect handling also does not support relative URLs in the Location
header (eg Location: /some/other/path
), nor does it set any limit on the maximum number of redirects. Instead of attempting to patch all these shortcomings, I feel we are better suited by utilizing the follow-redirects module, which handles all of these cases and is widely used.
We should however release this as a major update since webpack configs may need to be updated.
I don't think there should be any config changes necessary, but given I am not 100% sure, I agree with your point. Given this is patching a security issue, I really want to get a patch release out to ensure people don't have to upgrade to a new major to be covered. I have opened #273 to address only the headers issue, leaving this one as a general redirect handling PR.
Would you mind reviewing that one, @joeybaker ?