diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 000000000..78f6bbf83
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: node-fetch # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: # Replace with a single custom sponsorship URL
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 188fcd399..29d168cf7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,29 @@ Changelog
# 2.x release
+## v2.6.5
+
+- Fix: import `whatwg-url` in a way compatible with ESM
+
+## v2.6.4
+
+- Hotfix: fix v2.6.3 that did not sending query params
+
+## v2.6.3
+
+- Fix: properly encode url with unicode characters
+
+## v2.6.2
+
+- Fix: used full filename for main in package.json
+- Other: pinned codecov & teeny-request (had one breaking change with spread operators)
+
+## v2.6.1
+
+**This is an important security release. It is strongly recommended to update as soon as possible.**
+
+- Fix: honor the `size` option after following a redirect.
+
## v2.6.0
- Enhance: `options.agent`, it now accepts a function that returns custom http(s).Agent instance based on current URL, see readme for more information.
diff --git a/README.md b/README.md
index cb1990120..2dde74289 100644
--- a/README.md
+++ b/README.md
@@ -5,11 +5,14 @@ node-fetch
[![build status][travis-image]][travis-url]
[![coverage status][codecov-image]][codecov-url]
[![install size][install-size-image]][install-size-url]
+[![Discord][discord-image]][discord-url]
A light-weight module that brings `window.fetch` to Node.js
(We are looking for [v2 maintainers and collaborators](https://github.com/bitinn/node-fetch/issues/567))
+[![Backers][opencollective-image]][opencollective-url]
+
- [Motivation](#motivation)
@@ -48,7 +51,7 @@ A light-weight module that brings `window.fetch` to Node.js
## Motivation
-Instead of implementing `XMLHttpRequest` in Node.js to run browser-specific [Fetch polyfill](https://github.com/github/fetch), why not go from native `http` to `fetch` API directly? Hence `node-fetch`, minimal code for a `window.fetch` compatible API on Node.js runtime.
+Instead of implementing `XMLHttpRequest` in Node.js to run browser-specific [Fetch polyfill](https://github.com/github/fetch), why not go from native `http` to `fetch` API directly? Hence, `node-fetch`, minimal code for a `window.fetch` compatible API on Node.js runtime.
See Matt Andrews' [isomorphic-fetch](https://github.com/matthew-andrews/isomorphic-fetch) or Leonardo Quixada's [cross-fetch](https://github.com/lquixada/cross-fetch) for isomorphic usage (exports `node-fetch` for server-side, `whatwg-fetch` for client-side).
@@ -56,9 +59,9 @@ See Matt Andrews' [isomorphic-fetch](https://github.com/matthew-andrews/isomorph
- Stay consistent with `window.fetch` API.
- Make conscious trade-off when following [WHATWG fetch spec][whatwg-fetch] and [stream spec](https://streams.spec.whatwg.org/) implementation details, document known differences.
-- Use native promise, but allow substituting it with [insert your favorite promise library].
-- Use native Node streams for body, on both request and response.
-- Decode content encoding (gzip/deflate) properly, and convert string output (such as `res.text()` and `res.json()`) to UTF-8 automatically.
+- Use native promise but allow substituting it with [insert your favorite promise library].
+- Use native Node streams for body on both request and response.
+- Decode content encoding (gzip/deflate) properly and convert string output (such as `res.text()` and `res.json()`) to UTF-8 automatically.
- Useful extensions such as timeout, redirect limit, response size limit, [explicit errors](ERROR-HANDLING.md) for troubleshooting.
## Difference from client-side fetch
@@ -72,16 +75,16 @@ See Matt Andrews' [isomorphic-fetch](https://github.com/matthew-andrews/isomorph
Current stable release (`2.x`)
```sh
-$ npm install node-fetch --save
+$ npm install node-fetch
```
## Loading and configuring the module
-We suggest you load the module via `require`, pending the stabalizing of es modules in node:
+We suggest you load the module via `require` until the stabilization of ES modules in node:
```js
const fetch = require('node-fetch');
```
-If you are using a Promise library other than native, set it through fetch.Promise:
+If you are using a Promise library other than native, set it through `fetch.Promise`:
```js
const Bluebird = require('bluebird');
@@ -90,7 +93,7 @@ fetch.Promise = Bluebird;
## Common Usage
-NOTE: The documentation below is up-to-date with `2.x` releases, [see `1.x` readme](https://github.com/bitinn/node-fetch/blob/1.x/README.md), [changelog](https://github.com/bitinn/node-fetch/blob/1.x/CHANGELOG.md) and [2.x upgrade guide](UPGRADE-GUIDE.md) for the differences.
+NOTE: The documentation below is up-to-date with `2.x` releases; see the [`1.x` readme](https://github.com/bitinn/node-fetch/blob/1.x/README.md), [changelog](https://github.com/bitinn/node-fetch/blob/1.x/CHANGELOG.md) and [2.x upgrade guide](UPGRADE-GUIDE.md) for the differences.
#### Plain text or HTML
```js
@@ -146,9 +149,9 @@ fetch('https://httpbin.org/post', { method: 'POST', body: params })
```
#### Handling exceptions
-NOTE: 3xx-5xx responses are *NOT* exceptions, and should be handled in `then()`, see the next section.
+NOTE: 3xx-5xx responses are *NOT* exceptions and should be handled in `then()`; see the next section for more information.
-Adding a catch to the fetch promise chain will catch *all* exceptions, such as errors originating from node core libraries, like network errors, and operational errors which are instances of FetchError. See the [error handling document](ERROR-HANDLING.md) for more details.
+Adding a catch to the fetch promise chain will catch *all* exceptions, such as errors originating from node core libraries, network errors and operational errors, which are instances of FetchError. See the [error handling document](ERROR-HANDLING.md) for more details.
```js
fetch('https://domain.invalid/')
@@ -186,7 +189,7 @@ fetch('https://assets-cdn.github.com/images/modules/logos_page/Octocat.png')
```
#### Buffer
-If you prefer to cache binary data in full, use buffer(). (NOTE: buffer() is a `node-fetch` only API)
+If you prefer to cache binary data in full, use buffer(). (NOTE: `buffer()` is a `node-fetch`-only API)
```js
const fileType = require('file-type');
@@ -211,7 +214,7 @@ fetch('https://github.com/')
#### Extract Set-Cookie Header
-Unlike browsers, you can access raw `Set-Cookie` headers manually using `Headers.raw()`, this is a `node-fetch` only API.
+Unlike browsers, you can access raw `Set-Cookie` headers manually using `Headers.raw()`. This is a `node-fetch` only API.
```js
fetch(url).then(res => {
@@ -263,11 +266,11 @@ fetch('https://httpbin.org/post', options)
#### Request cancellation with AbortSignal
-> NOTE: You may only cancel streamed requests on Node >= v8.0.0
+> NOTE: You may cancel streamed requests only on Node >= v8.0.0
You may cancel requests with `AbortController`. A suggested implementation is [`abort-controller`](https://www.npmjs.com/package/abort-controller).
-An example of timing out a request after 150ms could be achieved as follows:
+An example of timing out a request after 150ms could be achieved as the following:
```js
import AbortController from 'abort-controller';
@@ -308,7 +311,7 @@ See [test cases](https://github.com/bitinn/node-fetch/blob/master/test/test.js)
Perform an HTTP(S) fetch.
-`url` should be an absolute url, such as `https://example.com/`. A path-relative URL (`/file/under/root`) or protocol-relative URL (`//can-be-http-or-https.com/`) will result in a rejected promise.
+`url` should be an absolute url, such as `https://example.com/`. A path-relative URL (`/file/under/root`) or protocol-relative URL (`//can-be-http-or-https.com/`) will result in a rejected `Promise`.
### Options
@@ -350,7 +353,7 @@ Note: when `body` is a `Stream`, `Content-Length` is not set automatically.
##### Custom Agent
-The `agent` option allows you to specify networking related options that's out of the scope of Fetch. Including and not limit to:
+The `agent` option allows you to specify networking related options which are out of the scope of Fetch, including and not limited to the following:
- Support self-signed certificate
- Use only IPv4 or IPv6
@@ -358,7 +361,7 @@ The `agent` option allows you to specify networking related options that's out o
See [`http.Agent`](https://nodejs.org/api/http.html#http_new_agent_options) for more information.
-In addition, `agent` option accepts a function that returns http(s).Agent instance given current [URL](https://nodejs.org/api/url.html), this is useful during a redirection chain across HTTP and HTTPS protocol.
+In addition, the `agent` option accepts a function that returns `http`(s)`.Agent` instance given current [URL](https://nodejs.org/api/url.html), this is useful during a redirection chain across HTTP and HTTPS protocol.
```js
const httpAgent = new http.Agent({
@@ -432,7 +435,7 @@ The following properties are not implemented in node-fetch at this moment:
*(spec-compliant)*
-- `body` A string or [Readable stream][node-readable]
+- `body` A `String` or [`Readable` stream][node-readable]
- `options` A [`ResponseInit`][response-init] options dictionary
Constructs a new `Response` object. The constructor is identical to that in the [browser](https://developer.mozilla.org/en-US/docs/Web/API/Response/Response).
@@ -462,7 +465,7 @@ This class allows manipulating and iterating over a set of HTTP headers. All met
- `init` Optional argument to pre-fill the `Headers` object
-Construct a new `Headers` object. `init` can be either `null`, a `Headers` object, an key-value map object, or any iterable object.
+Construct a new `Headers` object. `init` can be either `null`, a `Headers` object, an key-value map object or any iterable object.
```js
// Example adapted from https://fetch.spec.whatwg.org/#example-headers-class
@@ -503,7 +506,7 @@ The following methods are not yet implemented in node-fetch at this moment:
* Node.js [`Readable` stream][node-readable]
-The data encapsulated in the `Body` object. Note that while the [Fetch Standard][whatwg-fetch] requires the property to always be a WHATWG `ReadableStream`, in node-fetch it is a Node.js [`Readable` stream][node-readable].
+Data are encapsulated in the `Body` object. Note that while the [Fetch Standard][whatwg-fetch] requires the property to always be a WHATWG `ReadableStream`, in node-fetch it is a Node.js [`Readable` stream][node-readable].
#### body.bodyUsed
@@ -511,7 +514,7 @@ The data encapsulated in the `Body` object. Note that while the [Fetch Standard]
* `Boolean`
-A boolean property for if this body has been consumed. Per spec, a consumed body cannot be used again.
+A boolean property for if this body has been consumed. Per the specs, a consumed body cannot be used again.
#### body.arrayBuffer()
#### body.blob()
@@ -538,9 +541,9 @@ Consume the body and return a promise that will resolve to a Buffer.
* Returns: Promise<String>
-Identical to `body.text()`, except instead of always converting to UTF-8, encoding sniffing will be performed and text converted to UTF-8, if possible.
+Identical to `body.text()`, except instead of always converting to UTF-8, encoding sniffing will be performed and text converted to UTF-8 if possible.
-(This API requires an optional dependency on npm package [encoding](https://www.npmjs.com/package/encoding), which you need to install manually. `webpack` users may see [a warning message](https://github.com/bitinn/node-fetch/issues/412#issuecomment-379007792) due to this optional dependency.)
+(This API requires an optional dependency of the npm package [encoding](https://www.npmjs.com/package/encoding), which you need to install manually. `webpack` users may see [a warning message](https://github.com/bitinn/node-fetch/issues/412#issuecomment-379007792) due to this optional dependency.)
### Class: FetchError
@@ -574,6 +577,10 @@ MIT
[codecov-url]: https://codecov.io/gh/bitinn/node-fetch
[install-size-image]: https://flat.badgen.net/packagephobia/install/node-fetch
[install-size-url]: https://packagephobia.now.sh/result?p=node-fetch
+[discord-image]: https://img.shields.io/discord/619915844268326952?color=%237289DA&label=Discord&style=flat-square
+[discord-url]: https://discord.gg/Zxbndcm
+[opencollective-image]: https://opencollective.com/node-fetch/backers.svg
+[opencollective-url]: https://opencollective.com/node-fetch
[whatwg-fetch]: https://fetch.spec.whatwg.org/
[response-init]: https://fetch.spec.whatwg.org/#responseinit
[node-readable]: https://nodejs.org/api/stream.html#stream_readable_streams
diff --git a/browser.js b/browser.js
index 0ad5de004..83c54c584 100644
--- a/browser.js
+++ b/browser.js
@@ -16,7 +16,9 @@ var global = getGlobal();
module.exports = exports = global.fetch;
// Needed for TypeScript and Webpack.
-exports.default = global.fetch.bind(global);
+if (global.fetch) {
+ exports.default = global.fetch.bind(global);
+}
exports.Headers = global.Headers;
exports.Request = global.Request;
diff --git a/package.json b/package.json
index 8e5c883b2..3c1bd8da7 100644
--- a/package.json
+++ b/package.json
@@ -1,66 +1,76 @@
{
- "name": "node-fetch",
- "version": "2.6.0",
- "description": "A light-weight module that brings window.fetch to node.js",
- "main": "lib/index",
- "browser": "./browser.js",
- "module": "lib/index.mjs",
- "files": [
- "lib/index.js",
- "lib/index.mjs",
- "lib/index.es.js",
- "browser.js"
- ],
- "engines": {
- "node": "4.x || >=6.0.0"
- },
- "scripts": {
- "build": "cross-env BABEL_ENV=rollup rollup -c",
- "prepare": "npm run build",
- "test": "cross-env BABEL_ENV=test mocha --require babel-register --throw-deprecation test/test.js",
- "report": "cross-env BABEL_ENV=coverage nyc --reporter lcov --reporter text mocha -R spec test/test.js",
- "coverage": "cross-env BABEL_ENV=coverage nyc --reporter json --reporter text mocha -R spec test/test.js && codecov -f coverage/coverage-final.json"
- },
- "repository": {
- "type": "git",
- "url": "https://github.com/bitinn/node-fetch.git"
- },
- "keywords": [
- "fetch",
- "http",
- "promise"
- ],
- "author": "David Frank",
- "license": "MIT",
- "bugs": {
- "url": "https://github.com/bitinn/node-fetch/issues"
- },
- "homepage": "https://github.com/bitinn/node-fetch",
- "devDependencies": {
- "@ungap/url-search-params": "^0.1.2",
- "abort-controller": "^1.1.0",
- "abortcontroller-polyfill": "^1.3.0",
- "babel-core": "^6.26.3",
- "babel-plugin-istanbul": "^4.1.6",
- "babel-preset-env": "^1.6.1",
- "babel-register": "^6.16.3",
- "chai": "^3.5.0",
- "chai-as-promised": "^7.1.1",
- "chai-iterator": "^1.1.1",
- "chai-string": "~1.3.0",
- "codecov": "^3.3.0",
- "cross-env": "^5.2.0",
- "form-data": "^2.3.3",
- "is-builtin-module": "^1.0.0",
- "mocha": "^5.0.0",
- "nyc": "11.9.0",
- "parted": "^0.1.1",
- "promise": "^8.0.3",
- "resumer": "0.0.0",
- "rollup": "^0.63.4",
- "rollup-plugin-babel": "^3.0.7",
- "string-to-arraybuffer": "^1.0.2",
- "whatwg-url": "^5.0.0"
- },
- "dependencies": {}
+ "name": "node-fetch",
+ "version": "2.6.7",
+ "description": "A light-weight module that brings window.fetch to node.js",
+ "main": "lib/index.js",
+ "browser": "./browser.js",
+ "module": "lib/index.mjs",
+ "files": [
+ "lib/index.js",
+ "lib/index.mjs",
+ "lib/index.es.js",
+ "browser.js"
+ ],
+ "engines": {
+ "node": "4.x || >=6.0.0"
+ },
+ "scripts": {
+ "build": "cross-env BABEL_ENV=rollup rollup -c",
+ "prepare": "npm run build",
+ "test": "cross-env BABEL_ENV=test mocha --require babel-register --throw-deprecation test/test.js",
+ "report": "cross-env BABEL_ENV=coverage nyc --reporter lcov --reporter text mocha -R spec test/test.js",
+ "coverage": "cross-env BABEL_ENV=coverage nyc --reporter json --reporter text mocha -R spec test/test.js && codecov -f coverage/coverage-final.json"
+ },
+ "repository": {
+ "type": "git",
+ "url": "https://github.com/bitinn/node-fetch.git"
+ },
+ "keywords": [
+ "fetch",
+ "http",
+ "promise"
+ ],
+ "author": "David Frank",
+ "license": "MIT",
+ "bugs": {
+ "url": "https://github.com/bitinn/node-fetch/issues"
+ },
+ "homepage": "https://github.com/bitinn/node-fetch",
+ "dependencies": {
+ "whatwg-url": "^5.0.0"
+ },
+ "peerDependencies": {
+ "encoding": "^0.1.0"
+ },
+ "peerDependenciesMeta": {
+ "encoding": {
+ "optional": true
+ }
+ },
+ "devDependencies": {
+ "@ungap/url-search-params": "^0.1.2",
+ "abort-controller": "^1.1.0",
+ "abortcontroller-polyfill": "^1.3.0",
+ "babel-core": "^6.26.3",
+ "babel-plugin-istanbul": "^4.1.6",
+ "babel-preset-env": "^1.6.1",
+ "babel-register": "^6.16.3",
+ "chai": "^3.5.0",
+ "chai-as-promised": "^7.1.1",
+ "chai-iterator": "^1.1.1",
+ "chai-string": "~1.3.0",
+ "codecov": "3.3.0",
+ "cross-env": "^5.2.0",
+ "form-data": "^2.3.3",
+ "is-builtin-module": "^1.0.0",
+ "mocha": "^5.0.0",
+ "nyc": "11.9.0",
+ "parted": "^0.1.1",
+ "promise": "^8.0.3",
+ "resumer": "0.0.0",
+ "rollup": "^0.63.4",
+ "rollup-plugin-babel": "^3.0.7",
+ "string-to-arraybuffer": "^1.0.2",
+ "teeny-request": "3.7.0"
+ }
}
diff --git a/rollup.config.js b/rollup.config.js
index a201ee455..d5951bd2e 100644
--- a/rollup.config.js
+++ b/rollup.config.js
@@ -1,9 +1,12 @@
import isBuiltin from 'is-builtin-module';
import babel from 'rollup-plugin-babel';
+import packageJson from './package.json';
import tweakDefault from './build/rollup-plugin';
process.env.BABEL_ENV = 'rollup';
+const dependencies = Object.keys(packageJson.dependencies);
+
export default {
input: 'src/index.js',
output: [
@@ -18,10 +21,6 @@ export default {
tweakDefault()
],
external: function (id) {
- if (isBuiltin(id)) {
- return true;
- }
- id = id.split('/').slice(0, id[0] === '@' ? 2 : 1).join('/');
- return !!require('./package.json').dependencies[id];
+ return dependencies.includes(id) || isBuiltin(id);
}
};
diff --git a/src/body.js b/src/body.js
index 1b6eab1f8..a9d2e7973 100644
--- a/src/body.js
+++ b/src/body.js
@@ -306,6 +306,12 @@ function convertBody(buffer, headers) {
// html4
if (!res && str) {
res = / {
+ const orig = new URL(original).hostname;
+ const dest = new URL(destination).hostname;
+
+ return orig === dest || (
+ orig[orig.length - dest.length - 1] === '.' && orig.endsWith(dest)
+ );
+};
+
/**
* Fetch function
@@ -109,12 +122,24 @@ export default function fetch(url, opts) {
const location = headers.get('Location');
// HTTP fetch step 5.3
- const locationURL = location === null ? null : resolve_url(request.url, location);
+ let locationURL = null;
+ try {
+ locationURL = location === null ? null : new URL(location, request.url).toString();
+ } catch (err) {
+ // error here can only be invalid URL in Location: header
+ // do not throw when options.redirect == manual
+ // let the user extract the errorneous redirect URL
+ if (request.redirect !== 'manual') {
+ reject(new FetchError(`uri requested responds with an invalid redirect URL: ${location}`, 'invalid-redirect'));
+ finalize();
+ return;
+ }
+ }
// HTTP fetch step 5.5
switch (request.redirect) {
case 'error':
- reject(new FetchError(`redirect mode is set to error: ${request.url}`, 'no-redirect'));
+ reject(new FetchError(`uri requested responds with a redirect, redirect mode is set to error: ${request.url}`, 'no-redirect'));
finalize();
return;
case 'manual':
@@ -153,9 +178,16 @@ export default function fetch(url, opts) {
method: request.method,
body: request.body,
signal: request.signal,
- timeout: request.timeout
+ timeout: request.timeout,
+ size: request.size
};
+ if (!isDomainOrSubdomain(request.url, locationURL)) {
+ for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
+ requestOpts.headers.delete(name);
+ }
+ }
+
// HTTP-redirect fetch step 9
if (res.statusCode !== 303 && request.body && getTotalBytes(request) === null) {
reject(new FetchError('Cannot follow redirect with body being a readable stream', 'unsupported-redirect'));
diff --git a/src/request.js b/src/request.js
index 45a7eb7e4..739ba9071 100644
--- a/src/request.js
+++ b/src/request.js
@@ -9,15 +9,38 @@
import Url from 'url';
import Stream from 'stream';
+import whatwgUrl from 'whatwg-url';
import Headers, { exportNodeCompatibleHeaders } from './headers.js';
import Body, { clone, extractContentType, getTotalBytes } from './body';
const INTERNALS = Symbol('Request internals');
+const URL = Url.URL || whatwgUrl.URL;
// fix an issue where "format", "parse" aren't a named export for node <10
const parse_url = Url.parse;
const format_url = Url.format;
+/**
+ * Wrapper around `new URL` to handle arbitrary URLs
+ *
+ * @param {string} urlStr
+ * @return {void}
+ */
+function parseURL(urlStr) {
+ /*
+ Check whether the URL is absolute or not
+
+ Scheme: https://tools.ietf.org/html/rfc3986#section-3.1
+ Absolute URL: https://tools.ietf.org/html/rfc3986#section-4.3
+ */
+ if (/^[a-zA-Z][a-zA-Z\d+\-.]*:/.exec(urlStr)) {
+ urlStr = new URL(urlStr).toString()
+ }
+
+ // Fallback to old implementation for arbitrary URLs
+ return parse_url(urlStr);
+}
+
const streamDestructionSupported = 'destroy' in Stream.Readable.prototype;
/**
@@ -59,14 +82,14 @@ export default class Request {
// in order to support Node.js' Url objects; though WHATWG's URL objects
// will fall into this branch also (since their `toString()` will return
// `href` property anyway)
- parsedURL = parse_url(input.href);
+ parsedURL = parseURL(input.href);
} else {
// coerce input to a string before attempting to parse
- parsedURL = parse_url(`${input}`);
+ parsedURL = parseURL(`${input}`);
}
input = {};
} else {
- parsedURL = parse_url(input.url);
+ parsedURL = parseURL(input.url);
}
let method = init.method || input.method || 'GET';
diff --git a/test/server.js b/test/server.js
index e6aaacbf9..2f0baf8cd 100644
--- a/test/server.js
+++ b/test/server.js
@@ -1,7 +1,6 @@
import * as http from 'http';
import { parse } from 'url';
import * as zlib from 'zlib';
-import * as stream from 'stream';
import { multipart as Multipart } from 'parted';
let convert;
@@ -32,7 +31,7 @@ export default class TestServer {
}
router(req, res) {
- let p = parse(req.url).pathname;
+ let p = decodeURIComponent(parse(req.url).pathname);
if (p === '/hello') {
res.statusCode = 200;
@@ -66,6 +65,12 @@ export default class TestServer {
}));
}
+ if (p.startsWith('/redirect-to/3')) {
+ res.statusCode = p.slice(13, 16);
+ res.setHeader('Location', p.slice(17));
+ res.end();
+ }
+
if (p === '/gzip') {
res.statusCode = 200;
res.setHeader('Content-Type', 'text/plain');
@@ -181,6 +186,12 @@ export default class TestServer {
res.end(convert('中文
', 'gb2312'));
}
+ if (p === '/encoding/gb2312-reverse') {
+ res.statusCode = 200;
+ res.setHeader('Content-Type', 'text/html');
+ res.end(convert('中文
', 'gb2312'));
+ }
+
if (p === '/encoding/shift-jis') {
res.statusCode = 200;
res.setHeader('Content-Type', 'text/html; charset=Shift-JIS');
@@ -378,6 +389,12 @@ export default class TestServer {
});
req.pipe(parser);
}
+
+ if (p === '/issues/1290/ひらがな') {
+ res.statusCode = 200;
+ res.setHeader('Content-Type', 'text/plain');
+ res.end('Success');
+ }
}
}
diff --git a/test/test.js b/test/test.js
index 38d3ce050..cdeb51f00 100644
--- a/test/test.js
+++ b/test/test.js
@@ -1569,6 +1569,53 @@ describe('node-fetch', () => {
});
});
+ it('should not forward secure headers to 3th party', () => {
+ return fetch(`${base}redirect-to/302/https://httpbin.org/get`, {
+ headers: new Headers({
+ cookie: 'gets=removed',
+ cookie2: 'gets=removed',
+ authorization: 'gets=removed',
+ 'www-authenticate': 'gets=removed',
+ 'other-safe-headers': 'stays',
+ 'x-foo': 'bar'
+ })
+ }).then(res => res.json()).then(json => {
+ const headers = new Headers(json.headers);
+ // Safe headers are not removed
+ expect(headers.get('other-safe-headers')).to.equal('stays');
+ expect(headers.get('x-foo')).to.equal('bar');
+ // Unsafe headers should not have been sent to httpbin
+ expect(headers.get('cookie')).to.equal(null);
+ expect(headers.get('cookie2')).to.equal(null);
+ expect(headers.get('www-authenticate')).to.equal(null);
+ expect(headers.get('authorization')).to.equal(null);
+ });
+ });
+
+ it('should forward secure headers to same host', () => {
+ return fetch(`${base}redirect-to/302/${base}inspect`, {
+ headers: new Headers({
+ cookie: 'is=cookie',
+ cookie2: 'is=cookie2',
+ authorization: 'is=authorization',
+ 'other-safe-headers': 'stays',
+ 'www-authenticate': 'is=www-authenticate',
+ 'x-foo': 'bar'
+ })
+ }).then(res => res.json().then(json => {
+ const headers = new Headers(json.headers);
+ // Safe headers are not removed
+ expect(res.url).to.equal(`${base}inspect`);
+ expect(headers.get('other-safe-headers')).to.equal('stays');
+ expect(headers.get('x-foo')).to.equal('bar');
+ // Unsafe headers should not have been sent to httpbin
+ expect(headers.get('cookie')).to.equal('is=cookie');
+ expect(headers.get('cookie2')).to.equal('is=cookie2');
+ expect(headers.get('www-authenticate')).to.equal('is=www-authenticate');
+ expect(headers.get('authorization')).to.equal('is=authorization');
+ }));
+ });
+
it('should allow PATCH request', function() {
const url = `${base}inspect`;
const opts = {
@@ -2767,6 +2814,16 @@ describe('external encoding', () => {
});
});
+ it('should support encoding decode, html4 detect reverse http-equiv', function() {
+ const url = `${base}encoding/gb2312-reverse`;
+ return fetch(url).then(res => {
+ expect(res.status).to.equal(200);
+ return res.textConverted().then(result => {
+ expect(result).to.equal('中文
');
+ });
+ });
+ });
+
it('should default to utf8 encoding', function() {
const url = `${base}encoding/utf8`;
return fetch(url).then(res => {
@@ -2835,3 +2892,41 @@ describe('external encoding', () => {
});
});
});
+
+describe('issue #1290', function() {
+
+ it('should keep query params', function() {
+ return fetch(`${base}inspect?month=2021-09`)
+ .then(res => res.json())
+ .then(json => {
+ expect(json.url).to.equal('/inspect?month=2021-09')
+ })
+ })
+
+ it('should handle escaped unicode in URLs', () => {
+ const url = `${base}issues/1290/%E3%81%B2%E3%82%89%E3%81%8C%E3%81%AA`;
+ return fetch(url).then((res) => {
+ expect(res.status).to.equal(200);
+ return res.text().then(result => {
+ expect(result).to.equal('Success');
+ });
+ });
+ });
+
+ it('should handle unicode in URLs', () => {
+ const url = `${base}issues/1290/ひらがな`;
+ return fetch(url).then((res) => {
+ expect(res.status).to.equal(200);
+ return res.text().then(result => {
+ expect(result).to.equal('Success');
+ });
+ });
+ });
+
+ // #1342
+ it('should not throw with a valid URL', () => {
+ const url = 'https://r2---sn-n4v7sney.example.com';
+ new Request(url);
+ });
+
+});