Fix: strip sensitive headers on redirect to different origin #273
Conversation
rexxars
force-pushed
the
fix/redirect-drop-sensitive
branch
from
d80d2b9
to
5ea3b6e
Compare
|
Hi @rexxars! Thanks for the hard work on this one. Thanks again :) |
Yes, I backported it to 1.1.1 in case people are still on 1.x and cannot upgrade for some reason. Generally we don't maintain the 1.x range any longer, but felt like patching this was worthwhile. |
Thanks for thinking about that :) |
I originally sent a PR for this as #271, but it fixed a number of issues related to the redirect handling which could be considered breaking - and also added a dependency. After giving @joeybaker's review some thought, I am really eager to get a patch release out for this issue, as I don't want to leave the entire 2.x range with a security issue.
This PR attempts to address only the security issue, and does so in a way that should be backwards compatible. I still think we should improve the redirect handling overall, so I have renamed #271 to be more descriptive about this.
In other words, I want to merge this PR first, release a patch release on the 2.x range (potentially also backporting it to 1.x). Later on, I want to merge #271 and do a major release for that - but there is no rush with that one.