Re: [whatwg/fetch] Remove Authorization header upon cross-origin redirect (PR #1544) from Anne van Kesteren on 2022-11-25 (public-webapps-github@w3.org from November 2022)

From: Anne van Kesteren <notifications@github.com>
Date: Fri, 25 Nov 2022 00:19:36 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1544/c1327145052@github.com>

That is correct. User agents credentials are not stored on a request. They are added to a copy of a request just before it goes to the network, essentially. Therefore they only survive redirects if the subsequent URL happens to have the same user agent credentials associated with it.

Tests are at https://github.com/web-platform-tests/wpt/pull/37145. I'll file a Chromium issue and merge this.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1544#issuecomment-1327145052
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1544/c1327145052@github.com>

Received on Friday, 25 November 2022 08:19:48 UTC