From 1f30dc886d1a4a6e81599a9f5f5e9f60d97801d4 Mon Sep 17 00:00:00 2001
From: Katsuhiko YOSHIDA <claddvd@gmail.com>
Date: Sun, 30 Dec 2018 09:44:30 +0900
Subject: cookies: skip custom cookies when redirecting cross-site

Closes #3417
---
 lib/http.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib/http.c')

diff --git a/lib/http.c b/lib/http.c
index 303535af6..dd98e4a12 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -1835,7 +1835,8 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
                   checkprefix("Transfer-Encoding:", headers->data))
             /* HTTP/2 doesn't support chunked requests */
             ;
-          else if(checkprefix("Authorization:", headers->data) &&
+          else if((checkprefix("Authorization:", headers->data) ||
+                   checkprefix("Cookie:", headers->data)) &&
                   /* be careful of sending this potentially sensitive header to
                      other hosts */
                   (data->state.this_is_a_follow &&
-- 
cgit v1.2.3