Merge pull request #15 from fluture-js/avaq/same-origin

Fix notion of cross-origin to include scheme changes
fluture-js · Mar 1, 2022 · 1d689ea · 1d689ea
2 parents 2a5c6f4 + 0c99bc5
commit 1d689ea
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/index.js b/index.js
@@ -541,11 +541,12 @@ const mergeUrls = (base, input) => (
   base
 );
 
-// sameHost :: (Url, Url) -> Boolean
-const sameHost = (parent, child) => {
+// sameOrigin :: (Url, Url) -> Boolean
+const sameOrigin = (parent, child) => {
   const p = new URL (parent);
   const c = new URL (child);
-  return p.host === c.host || c.host.endsWith ('.' + p.host);
+  return (p.protocol === c.protocol || c.protocol === 'https:') &&
+         (p.host === c.host || c.host.endsWith ('.' + p.host));
 };
 
 // overHeaders :: (Request, Array2 String String -> Array2 String String)
@@ -583,7 +584,7 @@ export const redirectAnyRequest = response => {
                           (newUrl)
                           (Request.body (original));
 
-  return sameHost (oldUrl, newUrl) ? request : overHeaders (request, xs => (
+  return sameOrigin (oldUrl, newUrl) ? request : overHeaders (request, xs => (
     xs.filter (([name]) => !confidentialHeaders.includes (name.toLowerCase ()))
   ));
 };

diff --git a/test/index.js b/test/index.js
@@ -284,6 +284,11 @@ test ('redirectAnyRequest', () => Promise.all ([
                                          headers: {location: 'https://elsewhere.com/'},
                                          request: fn.Request ({headers: {cookie: 'yum'}}) ('https://example.com') (fn.emptyStream)})))
                  (fn.Request ({headers: {}}) ('https://elsewhere.com/') (fn.emptyStream)),
+  assertResolves (fl.map (fn.redirectAnyRequest)
+                         (mockResponse ({code: 301,
+                                         headers: {location: 'http://example.com/'},
+                                         request: fn.Request ({headers: {cookie: 'yum'}}) ('https://example.com') (fn.emptyStream)})))
+                 (fn.Request ({headers: {}}) ('http://example.com/') (fn.emptyStream)),
 ]));
 
 test ('redirectIfGetMethod', () => Promise.all ([