Skip to content

bpo-33661: Clear Authorization header when redirect to cross-site #11292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

bpo-33661: Clear Authorization header when redirect to cross-site #11292

wants to merge 3 commits into from

Conversation

kyoshidajp
Copy link

@kyoshidajp kyoshidajp commented Dec 23, 2018
edited by bedevere-bot
Loading

@the-knights-who-say-ni
Copy link

Hello, and thanks for your contribution!

I'm a bot set up to make sure that the project can legally accept your contribution by verifying you have signed the PSF contributor agreement (CLA).

Our records indicate we have not received your CLA. For legal reasons we need you to sign this before we can look at your contribution. Please follow the steps outlined in the CPython devguide to rectify this issue.

If you have recently signed the CLA, please wait at least one business day
before our records are updated.

You can check yourself to see if the CLA has been received.

Thanks again for your contribution, we look forward to reviewing it!

eamanu
eamanu reviewed Dec 23, 2018
View reviewed changes
Copy link
Contributor

@eamanu eamanu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to https://bugs.python.org/msg317793. The problem is that both authorization and cookies are sent on the redirect. Here I don't see the filter for Cookies. That is not necessary?

@kyoshidajp
Copy link
Author

@eamanu Thanks. It slipped my mind. I will add it. BTW, should I add other sensitive headers (WWW-Authenticate, Cookie2), too?

@eamanu
Copy link
Contributor

eamanu commented Dec 24, 2018

@eamanu Thanks. It slipped my mind. I will add it. BTW, should I add other sensitive headers (WWW-Authenticate, Cookie2), too?

I will put it in bugs.python for discuss

This was referenced Jun 8, 2022
Closed
Merged
@bedevere-bot
Copy link

Most changes to Python require a NEWS entry.

Please add it using the blurb_it web app or the blurb command-line tool.

@artem-smotrakov artem-smotrakov mannequin mentioned this pull request Apr 10, 2022
Open
@github-actions GitHub Actions
Copy link

This PR is stale because it has been open for 30 days with no activity.

@github-actions github-actions bot added the stale Stale PR or inactive for long period of time. label Apr 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eamanu eamanu eamanu left review comments

Assignees
No one assigned
Labels
awaiting review stale Stale PR or inactive for long period of time.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kyoshidajp @the-knights-who-say-ni @eamanu @bedevere-bot @ezio-melotti