Do redirects copy the headers from the initial requests

[bichhawat]

I might be missing something in the spec, but it seems to me that there is no description of how the headers from the initial request whose response is a redirect are handled when creating a redirect request. Are the headers copied over or is the header list empty when forwarding the request to the redirect URL

[jdm]

There's a note near the beginning of https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch by step 3.4 that makes clear that the same initial request object is used as the base for each subsequent request.

[bichhawat]

Thanks for the quick response. I understand that it copies the object as such but are the headers retained if the new request does not have relevant headers, i.e., if the httpRequest object does not have relevant data for appending say a Origin header, does the header from the previous request stay or is removed.

[jdm]

I don't understand the question. The httpRequest object is a copy of the request, including all of its headers. When a redirect is processed later (in step 5 of https://fetch.spec.whatwg.org/#concept-http-fetch) we use the original request object, not the copy that was used in http-network-or-cache-fetch.

[wanderview]

The effect should be that headers set explicitly on the Request objects propagate across redirects, but things set by the browser like Origin do not.

Edit: Well some headers set by the browser should not propagate across redirects by default.

[annevk]

@wanderview are you pointing out an issue in your "Edit:" remark? I think everything is fine here?

[wanderview]

I think its fine.

[annevk]

@bichhawat, if anything is still unclear please don't hesitate to ask further clarifying questions. If you have suggestions for how to make the Fetch Standard clearer with regards to this those are welcome too. Thanks!

[bichhawat]

Hi, Sorry for the late reply. The thing that was unclear to me was this:The request's header are used as is in the redirected request (generated as a result of a redirect response). There seems to be no provision in the spec to reset some sensitive headers like "Cookie" that are sent in the initial request while sending the redirect request (or am I missing something in the spec that does this). Thanks and Regards,Abhishek On Thursday, 22 June 2017 11:06 PM, Anne van Kesteren <[email protected]> wrote: Closed #553.— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[jdm]

The cookie header (for example) is set during the http-network-or-cache algorithm. The request object that has the cookie header added to it is a copy of the initial request (step 3). If a redirect occurs, the request object that is used as the base of the copy for the next request does not have the header present.

[bichhawat]

Oh, I misunderstood the request object to be the original request sent with all the information. Thanks a lot for clearing it up.

[ptoomey3]

Stumbled upon this thread and had a question about this as it relates to things like an Authorization header. In talking to a developer I work with, they noticed that it appeared the the authorization header is sent in the redirect request. That seems unexpected/risky since the redirect is to another domain. Is that expected behavior?

[annevk]

Yes, there are no exceptions. (Though see #609 for POST -> GET.)

(It's also not clear to me we could compatibly change that at this point.)