- From: James Babcock <notifications@github.com>
- Date: Sat, 15 Apr 2023 17:20:51 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Sunday, 16 April 2023 00:20:56 UTC
Removal of the `Authorization` header when a request is redirected was proposed in https://github.com/whatwg/fetch/issues/944, merged into the spec in https://github.com/whatwg/fetch/pull/1544, and implemented in nodejs in `18.4.0`. This broke my program; see https://github.com/nodejs/node/issues/46287. I have worked around the problem by switching from nodejs's builtin implementation of `fetch` to the `node-fetch` library, which has not implemented this spec change. However, I'm worried that `node-fetch` is going to make the same change, in which case I'll be forced to pin an obsolete version and accept whatever security issues that creates. As far as I can tell, there is no documented way to handle the case where you have an API key and an endpoint that's going to redirect you. The spec change proposal alludes to an analogous `curl` behavior, which curl disables with `--location-trusted`, but there is nothing analogous to `--location-trusted` in the `fetch` specification or the documentation of any of its implementations. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1631 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1631@github.com>
Received on Sunday, 16 April 2023 00:20:56 UTC