fix: do not follow redirect if scheme is not an HTTP(S) scheme #62
Conversation
🦋 Changeset detectedLatest commit: 25b5f62 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
| finalize(); | ||
| return; | ||
| } | ||
|
|
||
| // HTTP-redirect fetch step 6 (counter increment) |
There was a problem hiding this comment.
Not from this PR but looks like some of the steps are invalid in here as the spec has evolved maybe? we could take a pass through in a separate PR some other time to get the comments updated
| // HTTP-redirect fetch step 6 (counter increment) | |
| // HTTP-redirect fetch step 7 (counter increment) |
| @@ -180,6 +180,14 @@ async function fetch(url, options_ = {}) { | |||
| return; | |||
| } | |||
|
|
|||
| // https://fetch.spec.whatwg.org/#http-redirect-fetch | |||
| // 6. If locationURL’s scheme is not an HTTP(S) scheme, then return a network error. | |||
| if (locationURL.protocol !== 'http:' && locationURL.protocol !== 'https:') { | |||
There was a problem hiding this comment.
This protocol check looks good, but we may also want to support a relative redirection as in an empty locationURL. e.g. Location: /home.
There was a problem hiding this comment.
locationURL is constructed based on the request URL and takes this into consideration already. Tests exist as well:
web-std-io/packages/fetch/src/fetch.js
Line 155 in 050356b
No description provided.