d0zingcat/cors-anywhere
1
0
Fork 0
mirror of https://github.com/d0zingcat/cors-anywhere.git synced 2026-05-27 15:10:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Reject invalid redirects

Browse Source 
Fixes #234.
This commit is contained in:
Rob Wu
2020-05-06 23:25:17 +02:00
parent 0a3b8e965f
commit a9e06a9dab
3 changed files with 23 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
test/setup.js
View File

@@ -114,6 +114,11 @@ nock('http://example.com')
.get('/redirectwithoutlocation')
.reply(302, 'maybe found')
.get('/redirectinvalidlocation')
.reply(302, 'redirecting to junk...', {
Location: 'http:///',
})
.get('/proxyerror')
.replyWithError('throw node')
;

13
test/test.js
View File

@@ -246,6 +246,19 @@ describe('Basic functionality', function() {
.expect(302, 'maybe found', done);
});
it('GET with 302 redirect to an invalid Location should not be followed', function(done) {
// There is nothing to follow, so let the browser decide what to do with it.
request(cors_anywhere)
.get('/example.com/redirectinvalidlocation')
.redirects(0)
.expect('Access-Control-Allow-Origin', '*')
.expect('x-request-url', 'http://example.com/redirectinvalidlocation')
.expect('x-final-url', 'http://example.com/redirectinvalidlocation')
.expect('access-control-expose-headers', /x-final-url/)
.expect('Location', 'http:///')
.expect(302, 'redirecting to junk...', done);
});
it('POST with 307 redirect should not be handled', function(done) {
// Because of implementation difficulties (having to keep the request body
// in memory), handling HTTP 307/308 redirects is deferred to the requestor.