eventsource
Advanced tools
Comparing version 1.1.0 to 1.1.1
@@ -0,1 +1,5 @@ | ||
# [1.1.1](https://github.com/EventSource/eventsource/compare/v1.1.0...v1.1.1) | ||
* Do not include authorization and cookie headers on redirect to different origin ([#273](https://github.com/EventSource/eventsource/pull/273) Espen Hovlandsdal) | ||
# [1.1.0](https://github.com/EventSource/eventsource/compare/v1.0.7...v1.1.0) | ||
@@ -2,0 +6,0 @@ |
@@ -34,2 +34,4 @@ var original = require('original') | ||
var readyState = EventSource.CONNECTING | ||
var headers = eventSourceInitDict && eventSourceInitDict.headers | ||
var hasNewOrigin = false | ||
Object.defineProperty(this, 'readyState', { | ||
@@ -56,7 +58,8 @@ get: function () { | ||
// The url may have been changed by a temporary | ||
// redirect. If that's the case, revert it now. | ||
// The url may have been changed by a temporary redirect. If that's the case, | ||
// revert it now, and flag that we are no longer pointing to a new origin | ||
if (reconnectUrl) { | ||
url = reconnectUrl | ||
reconnectUrl = null | ||
hasNewOrigin = false | ||
} | ||
@@ -74,5 +77,5 @@ setTimeout(function () { | ||
var lastEventId = '' | ||
if (eventSourceInitDict && eventSourceInitDict.headers && eventSourceInitDict.headers['Last-Event-ID']) { | ||
lastEventId = eventSourceInitDict.headers['Last-Event-ID'] | ||
delete eventSourceInitDict.headers['Last-Event-ID'] | ||
if (headers && headers['Last-Event-ID']) { | ||
lastEventId = headers['Last-Event-ID'] | ||
delete headers['Last-Event-ID'] | ||
} | ||
@@ -91,5 +94,6 @@ | ||
if (lastEventId) options.headers['Last-Event-ID'] = lastEventId | ||
if (eventSourceInitDict && eventSourceInitDict.headers) { | ||
for (var i in eventSourceInitDict.headers) { | ||
var header = eventSourceInitDict.headers[i] | ||
if (headers) { | ||
var reqHeaders = hasNewOrigin ? removeUnsafeHeaders(headers) : headers | ||
for (var i in reqHeaders) { | ||
var header = reqHeaders[i] | ||
if (header) { | ||
@@ -154,3 +158,4 @@ options.headers[i] = header | ||
if (res.statusCode === 301 || res.statusCode === 302 || res.statusCode === 307) { | ||
if (!res.headers.location) { | ||
var location = res.headers.location | ||
if (!location) { | ||
// Server sent redirect response without Location header. | ||
@@ -160,4 +165,7 @@ _emit('error', new Event('error', {status: res.statusCode, message: res.statusMessage})) | ||
} | ||
var prevOrigin = original(url) | ||
var nextOrigin = original(location) | ||
hasNewOrigin = prevOrigin !== nextOrigin | ||
if (res.statusCode === 307) reconnectUrl = url | ||
url = res.headers.location | ||
url = location | ||
process.nextTick(connect) | ||
@@ -452,1 +460,21 @@ return | ||
} | ||
/** | ||
* Returns a new object of headers that does not include any authorization and cookie headers | ||
* | ||
* @param {Object} headers An object of headers ({[headerName]: headerValue}) | ||
* @return {Object} a new object of headers | ||
* @api private | ||
*/ | ||
function removeUnsafeHeaders (headers) { | ||
var safe = {} | ||
for (var key in headers) { | ||
if (/^(cookie|authorization)$/i.test(key)) { | ||
continue | ||
} | ||
safe[key] = headers[key] | ||
} | ||
return safe | ||
} |
{ | ||
"name": "eventsource", | ||
"version": "1.1.0", | ||
"version": "1.1.1", | ||
"description": "W3C compliant EventSource client for Node.js and browser (polyfill)", | ||
@@ -5,0 +5,0 @@ "keywords": [ |
Sorry, the diff of this file is too big to display
328802
9335