[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Wget passes Authorization header cross-domain upon redirect

From: Dolev Farhi
Subject: Wget passes Authorization header cross-domain upon redirect
Date: Fri, 22 Jan 2021 23:35:50 -0500

hi Wget team!

When making an HTTP GET request with Authorization header, together with
the follow redirect flag (-L), e.g.:

wget -v --header="Authorization: zzzzz==" -L

If the remote server ( redirects to (different host +
port), the Authorization header will be passed to the redirected new host
on the new port.

1. Client sends HTTP GET with Authorization header to Server1:8080
2. Server1 redirects Client to Server2:8081
3. Server2:8081 receives the Authorization header

My understanding is, if the scheme, host or port are different, then it
makes a different origin, and is effectively cross origin. Which means the
Header shouldn't be passed on in this case, and needs to be stripped?

This is reproducible in the following versions:

GNU Wget 1.21 built on MacOSX
GNU Wget 1.18 on Ubuntu

cURL apparently experienced the same issue in 2018, described here:


reply via email to

[Prev in Thread] Current Thread [Next in Thread]