Keep headers when upgrading from HTTP to HTTPS.

Fixes #192

Author: RubenVerborgh

.eslintrc

@@ -12,7 +12,7 @@
     array-callback-return: "error",
     block-scoped-var: "error",
     class-methods-use-this: "error",
-    complexity: "error",
+    complexity: "off",
     consistent-return: "error",
     curly: "error",
     default-case: "error",

index.js

@@ -403,9 +403,12 @@ RedirectableRequest.prototype._processResponse = function (response) {
   var redirectUrlParts = url.parse(redirectUrl);
   Object.assign(this._options, redirectUrlParts);
 
-  // Drop confidential headers when redirecting to another scheme:domain
-  if (redirectUrlParts.protocol !== currentUrlParts.protocol ||
-     !isSameOrSubdomain(redirectUrlParts.host, currentHost)) {
+  // Drop confidential headers when redirecting to a less secure protocol
+  // or to a different domain that is not a superdomain
+  if (redirectUrlParts.protocol !== currentUrlParts.protocol &&
+     redirectUrlParts.protocol !== "https:" ||
+     redirectUrlParts.host !== currentHost &&
+     !isSubdomain(redirectUrlParts.host, currentHost)) {
     removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
   }
 
@@ -561,10 +564,7 @@ function abortRequest(request) {
   request.abort();
 }
 
-function isSameOrSubdomain(subdomain, domain) {
-  if (subdomain === domain) {
-    return true;
-  }
+function isSubdomain(subdomain, domain) {
   const dot = subdomain.length - domain.length - 1;
   return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain);
 }

test/test.js

@@ -1523,7 +1523,36 @@ describe("follow-redirects", function () {
       });
     });
 
-    it("drops the header when redirected to a different scheme", function () {
+    it("keeps the header when redirected from HTTP to HTTPS", function () {
+      app.get("/a", redirectsTo(302, "https://localhost:3600/b"));
+      app.get("/b", function (req, res) {
+        res.end(JSON.stringify(req.headers));
+      });
+
+      var opts = url.parse("http://localhost:3600/a");
+      opts.headers = {};
+      opts.headers[header] = "the header value";
+
+      // Intercept the scheme
+      opts.beforeRedirect = function (options) {
+        assert.equal(options.protocol, "https:");
+        options.protocol = "http:";
+      };
+
+      return server.start(app)
+        .then(asPromise(function (resolve, reject) {
+          http.get(opts, resolve).on("error", reject);
+        }))
+        .then(asPromise(function (resolve, reject, res) {
+          res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject);
+        }))
+        .then(function (str) {
+          var body = JSON.parse(str);
+          assert.equal(body[header.toLowerCase()], "the header value");
+        });
+    });
+
+    it("drops the header when redirected from HTTPS to HTTP", function () {
       app.get("/a", redirectsTo(302, "http://localhost:3601/b"));
       app.get("/b", function (req, res) {
         res.end(JSON.stringify(req.headers));