New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clear Cookie header when redirect to cross-site #3417
Conversation
I don't think this makes a lot of sense. Cookies already have a domain match logic to make them only get sent to the relevant hosts and are very frequently used across different names. Can you expand on exactly which use case or problem this would work for? |
Thanks. The case is Cookie header is specified directly instead of When I try to run the following command, Cookie header was forward to http://example.com.
There is no problem when
|
Ah right. I suppose this is sensible. The only little detail I miss here is a mention about this in the |
@bagder So, should I add the following sentence under https://github.com/curl/curl/blob/master/docs/libcurl/opts/CURLOPT_HTTPHEADER.3#L87-L89 ?
|
Yes please! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
<info> | ||
<keywords> | ||
HTTP | ||
followlocation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we have "cookies" here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I did.
Thanks! |
After version 7.58.0, Authorization header isn't forward to cross-site when redirect.
Cookie header with confidential data should also be supported.