@@ -31,6 +31,8 @@ function hasBom (buf) {
3131 **/
3232function EventSource ( url , eventSourceInitDict ) {
3333 var readyState = EventSource . CONNECTING
34+ var headers = eventSourceInitDict && eventSourceInitDict . headers
35+ var hasNewOrigin = false
3436 Object . defineProperty ( this , 'readyState' , {
3537 get : function ( ) {
3638 return readyState
@@ -52,11 +54,12 @@ function EventSource (url, eventSourceInitDict) {
5254 readyState = EventSource . CONNECTING
5355 _emit ( 'error' , new Event ( 'error' , { message : message } ) )
5456
55- // The url may have been changed by a temporary
56- // redirect. If that's the case, revert it now.
57+ // The url may have been changed by a temporary redirect. If that's the case,
58+ // revert it now, and flag that we are no longer pointing to a new origin
5759 if ( reconnectUrl ) {
5860 url = reconnectUrl
5961 reconnectUrl = null
62+ hasNewOrigin = false
6063 }
6164 setTimeout ( function ( ) {
6265 if ( readyState !== EventSource . CONNECTING || self . connectionInProgress ) {
@@ -69,9 +72,9 @@ function EventSource (url, eventSourceInitDict) {
6972
7073 var req
7174 var lastEventId = ''
72- if ( eventSourceInitDict && eventSourceInitDict . headers && eventSourceInitDict . headers [ 'Last-Event-ID' ] ) {
73- lastEventId = eventSourceInitDict . headers [ 'Last-Event-ID' ]
74- delete eventSourceInitDict . headers [ 'Last-Event-ID' ]
75+ if ( headers && headers [ 'Last-Event-ID' ] ) {
76+ lastEventId = headers [ 'Last-Event-ID' ]
77+ delete headers [ 'Last-Event-ID' ]
7578 }
7679
7780 var discardTrailingNewline = false
@@ -85,9 +88,10 @@ function EventSource (url, eventSourceInitDict) {
8588 var isSecure = options . protocol === 'https:'
8689 options . headers = { 'Cache-Control' : 'no-cache' , 'Accept' : 'text/event-stream' }
8790 if ( lastEventId ) options . headers [ 'Last-Event-ID' ] = lastEventId
88- if ( eventSourceInitDict && eventSourceInitDict . headers ) {
89- for ( var i in eventSourceInitDict . headers ) {
90- var header = eventSourceInitDict . headers [ i ]
91+ if ( headers ) {
92+ var reqHeaders = hasNewOrigin ? removeUnsafeHeaders ( headers ) : headers
93+ for ( var i in reqHeaders ) {
94+ var header = reqHeaders [ i ]
9195 if ( header ) {
9296 options . headers [ i ] = header
9397 }
@@ -147,13 +151,17 @@ function EventSource (url, eventSourceInitDict) {
147151
148152 // Handle HTTP redirects
149153 if ( res . statusCode === 301 || res . statusCode === 302 || res . statusCode === 307 ) {
150- if ( ! res . headers . location ) {
154+ var location = res . headers . location
155+ if ( ! location ) {
151156 // Server sent redirect response without Location header.
152157 _emit ( 'error' , new Event ( 'error' , { status : res . statusCode , message : res . statusMessage } ) )
153158 return
154159 }
160+ var prevOrigin = original ( url )
161+ var nextOrigin = original ( location )
162+ hasNewOrigin = prevOrigin !== nextOrigin
155163 if ( res . statusCode === 307 ) reconnectUrl = url
156- url = res . headers . location
164+ url = location
157165 process . nextTick ( connect )
158166 return
159167 }
@@ -443,3 +451,23 @@ function MessageEvent (type, eventInitDict) {
443451 }
444452 }
445453}
454+
455+ /**
456+ * Returns a new object of headers that does not include any authorization and cookie headers
457+ *
458+ * @param {Object } headers An object of headers ({[headerName]: headerValue})
459+ * @return {Object } a new object of headers
460+ * @api private
461+ */
462+ function removeUnsafeHeaders ( headers ) {
463+ var safe = { }
464+ for ( var key in headers ) {
465+ if ( / ^ ( c o o k i e | a u t h o r i z a t i o n ) $ / i. test ( key ) ) {
466+ continue
467+ }
468+
469+ safe [ key ] = headers [ key ]
470+ }
471+
472+ return safe
473+ }
0 commit comments