Remove Authorization header upon cross-origin redirect

annevk · web-flow · commit 9004f4e57c1e · 2022-11-25T09:29:50.000+01:00
Tests: web-platform-tests/wpt#37145. Fixes #944.
diff --git a/fetch.bs b/fetch.bs
@@ -4974,11 +4974,10 @@ run these steps:
  <li><p>If <var>locationURL</var>'s <a for=url>scheme</a> is not an <a>HTTP(S) scheme</a>, then
  return a <a>network error</a>.
 
- <li><p>If <var>request</var>'s <a for=request>redirect count</a> is
- twenty, return a <a>network error</a>.
+ <li><p>If <var>request</var>'s <a for=request>redirect count</a> is 20, then return a
+ <a>network error</a>.
 
- <li><p>Increase <var>request</var>'s
- <a for=request>redirect count</a> by one.
+ <li><p>Increase <var>request</var>'s <a for=request>redirect count</a> by 1.
 
  <li><p>If <var>request</var>'s <a for=request>mode</a> is "<code>cors</code>",
  <var>locationURL</var> <a>includes credentials</a>, and <var>request</var>'s
@@ -5016,6 +5015,16 @@ run these steps:
    <a for=request>header list</a>.
   </ol>
 
+ <li>
+  <p>If <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a> is not
+  <a>same origin</a> with <var>locationURL</var>'s <a for=url>origin</a>, then
+  <a for=list>for each</a> <var>headerName</var> of <a>CORS non-wildcard request-header name</a>,
+  <a for="header list">delete</a> <var>headerName</var> from <var>request</var>'s
+  <a for=request>header list</a>.
+
+  <p class=note>I.e., the moment another origin is seen after the initial request, the
+  `<code>Authorization</code>` header is removed.
+
  <li>
   <p>If <var>request</var>'s <a for=request>body</a> is non-null, then set <var>request</var>'s
   <a for=request>body</a> to the <a for="body with type">body</a> of the result of
