ci

.github/workflows/check-dist.yml

@@ -37,8 +37,13 @@ jobs:
       - name: Compare the expected and actual dist/ directories
         run: |
           if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
-            echo "Detected uncommitted changes after build.  See status below:"
+            echo "Detected uncommitted changes after build in dist folder. See status below:"
+            git diff
+            exit 1
+          fi
+
+          if [ "$(git diff --ignore-space-at-eol pre/ | wc -l)" -gt "0" ]; then
+            echo "Detected uncommitted changes after build in pre folder. See status below:"
             git diff
             exit 1
           fi
-        id: diff

dist/index.js

@@ -5386,10 +5386,21 @@ RedirectableRequest.prototype._processResponse = function (response) {
   // the user agent MAY automatically redirect its request to the URI
   // referenced by the Location field value,
   // even if the specific status code is not understood.
+
+  // If the response is not a redirect; return it as-is
   var location = response.headers.location;
-  if (location && this._options.followRedirects !== false &&
-      statusCode >= 300 && statusCode < 400) {
-    // Abort the current request
+  if (!location || this._options.followRedirects === false ||
+      statusCode < 300 || statusCode >= 400) {
+    response.responseUrl = this._currentUrl;
+    response.redirects = this._redirects;
+    this.emit("response", response);
+
+    // Clean up
+    this._requestBodyBuffers = [];
+    return;
+  }
+
+  // The response is a redirect, so abort the current request
   abortRequest(this._currentRequest);
   // Discard the remainder of the response to avoid waiting for data
   response.destroy();
@@ -5442,9 +5453,12 @@ RedirectableRequest.prototype._processResponse = function (response) {
   var redirectUrlParts = url.parse(redirectUrl);
   Object.assign(this._options, redirectUrlParts);
 
-    // Drop confidential headers when redirecting to another scheme:domain
-    if (redirectUrlParts.protocol !== currentUrlParts.protocol ||
-       !isSameOrSubdomain(redirectUrlParts.host, currentHost)) {
+  // Drop confidential headers when redirecting to a less secure protocol
+  // or to a different domain that is not a superdomain
+  if (redirectUrlParts.protocol !== currentUrlParts.protocol &&
+     redirectUrlParts.protocol !== "https:" ||
+     redirectUrlParts.host !== currentHost &&
+     !isSubdomain(redirectUrlParts.host, currentHost)) {
     removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
   }
 
@@ -5468,16 +5482,6 @@ RedirectableRequest.prototype._processResponse = function (response) {
   catch (cause) {
     this.emit("error", new RedirectionError(cause));
   }
-  }
-  else {
-    // The response is not a redirect; return it as-is
-    response.responseUrl = this._currentUrl;
-    response.redirects = this._redirects;
-    this.emit("response", response);
-
-    // Clean up
-    this._requestBodyBuffers = [];
-  }
 };
 
 // Wraps the key/value object of protocols with redirect functionality
@@ -5610,10 +5614,7 @@ function abortRequest(request) {
   request.abort();
 }
 
-function isSameOrSubdomain(subdomain, domain) {
-  if (subdomain === domain) {
-    return true;
-  }
+function isSubdomain(subdomain, domain) {
   const dot = subdomain.length - domain.length - 1;
   return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain);
 }

pre/index.js

@@ -5386,10 +5386,21 @@ RedirectableRequest.prototype._processResponse = function (response) {
   // the user agent MAY automatically redirect its request to the URI
   // referenced by the Location field value,
   // even if the specific status code is not understood.
+
+  // If the response is not a redirect; return it as-is
   var location = response.headers.location;
-  if (location && this._options.followRedirects !== false &&
-      statusCode >= 300 && statusCode < 400) {
-    // Abort the current request
+  if (!location || this._options.followRedirects === false ||
+      statusCode < 300 || statusCode >= 400) {
+    response.responseUrl = this._currentUrl;
+    response.redirects = this._redirects;
+    this.emit("response", response);
+
+    // Clean up
+    this._requestBodyBuffers = [];
+    return;
+  }
+
+  // The response is a redirect, so abort the current request
   abortRequest(this._currentRequest);
   // Discard the remainder of the response to avoid waiting for data
   response.destroy();
@@ -5442,9 +5453,12 @@ RedirectableRequest.prototype._processResponse = function (response) {
   var redirectUrlParts = url.parse(redirectUrl);
   Object.assign(this._options, redirectUrlParts);
 
-    // Drop confidential headers when redirecting to another scheme:domain
-    if (redirectUrlParts.protocol !== currentUrlParts.protocol ||
-       !isSameOrSubdomain(redirectUrlParts.host, currentHost)) {
+  // Drop confidential headers when redirecting to a less secure protocol
+  // or to a different domain that is not a superdomain
+  if (redirectUrlParts.protocol !== currentUrlParts.protocol &&
+     redirectUrlParts.protocol !== "https:" ||
+     redirectUrlParts.host !== currentHost &&
+     !isSubdomain(redirectUrlParts.host, currentHost)) {
     removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
   }
 
@@ -5468,16 +5482,6 @@ RedirectableRequest.prototype._processResponse = function (response) {
   catch (cause) {
     this.emit("error", new RedirectionError(cause));
   }
-  }
-  else {
-    // The response is not a redirect; return it as-is
-    response.responseUrl = this._currentUrl;
-    response.redirects = this._redirects;
-    this.emit("response", response);
-
-    // Clean up
-    this._requestBodyBuffers = [];
-  }
 };
 
 // Wraps the key/value object of protocols with redirect functionality
@@ -5610,10 +5614,7 @@ function abortRequest(request) {
   request.abort();
 }
 
-function isSameOrSubdomain(subdomain, domain) {
-  if (subdomain === domain) {
-    return true;
-  }
+function isSubdomain(subdomain, domain) {
   const dot = subdomain.length - domain.length - 1;
   return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain);
 }