- Gelöst
- Archiviert
Firefox not sending original Authorization header when fetch follows a redirect in 112.0
We've noticed that in Firefox 112.0 (maybe in 111.0? haven't tested yet...) when a `fetch` request with an `Authorization` header gets a `302` (or `307`, and probably any… (Lesen Sie mehr)
We've noticed that in Firefox 112.0 (maybe in 111.0? haven't tested yet...) when a `fetch` request with an `Authorization` header gets a `302` (or `307`, and probably any other redirect response code) and `redirect` is set to `follow`, the second request is made _without_ an `Authorization` header, which breaks our website.
In 110.0 this isn't an issue, and no warning is logged to tell us it's about to change.
I'm guessing this is a security change - could someone point me at the discussion that led to it being made? My feeling is that if the redirect is to the same origin as the original request sending the same `Authorization` header should be secure enough.
I'm wondering what the right mitigation is; we could follow redirects manually of course, but it's a pain.