fix: [#1048] Always include manually set authorization headers in requests (#1957)

Author: capricorn86

packages/happy-dom/src/fetch/Fetch.ts

@@ -974,8 +974,6 @@ export default class Fetch {
 					(this.request.credentials === 'same-origin' &&
 						FetchCORSUtility.isCORS(this.#window.location.href, locationURL))
 				) {
-					headers.delete('authorization');
-					headers.delete('www-authenticate');
 					headers.delete('cookie');
 					headers.delete('cookie2');
 				}

packages/happy-dom/src/fetch/SyncFetch.ts

@@ -681,8 +681,6 @@ export default class SyncFetch {
 					(this.request.credentials === 'same-origin' &&
 						FetchCORSUtility.isCORS(this.#window.location.href, locationURL))
 				) {
-					headers.delete('authorization');
-					headers.delete('www-authenticate');
 					headers.delete('cookie');
 					headers.delete('cookie2');
 				}

packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts

@@ -86,15 +86,6 @@ export default class FetchRequestHeaderUtility {
 		const originURL = new URL(options.window.location.href);
 		const isCORS = FetchCORSUtility.isCORS(originURL, options.request[PropertySymbol.url]);
 
-		// TODO: Maybe we need to add support for OPTIONS request with 'Access-Control-Allow-*' headers?
-		if (
-			options.request.credentials === 'omit' ||
-			(options.request.credentials === 'same-origin' && isCORS)
-		) {
-			headers.delete('authorization');
-			headers.delete('www-authenticate');
-		}
-
 		headers.set('Accept-Encoding', 'gzip, deflate, br');
 		headers.set('Connection', 'close');
 
@@ -117,6 +108,9 @@ export default class FetchRequestHeaderUtility {
 			if (cookies.length > 0) {
 				headers.set('Cookie', CookieStringUtility.cookiesToString(cookies));
 			}
+		} else {
+			headers.delete('Cookie');
+			headers.delete('Cookie2');
 		}
 
 		if (!headers.has('Accept')) {

packages/happy-dom/test/fetch/Fetch.test.ts

@@ -993,7 +993,7 @@ describe('Fetch', () => {
 			]);
 		});
 
-		it(`Doesn't forward the headers "cookie", "authorization" or "www-authenticate" if request credentials are set to "omit".`, async () => {
+		it(`Doesn't forward "cookie" headers if request credentials are set to "omit".`, async () => {
 			const window = new Window({ url: 'https://localhost:8080/' });
 			const url = 'https://localhost:8080/some/path';
 
@@ -1019,7 +1019,9 @@ describe('Fetch', () => {
 							Connection: 'close',
 							Referer: 'https://localhost:8080/',
 							'User-Agent': window.navigator.userAgent,
-							'Accept-Encoding': 'gzip, deflate, br'
+							'Accept-Encoding': 'gzip, deflate, br',
+							authorization: 'authorization',
+							'www-authenticate': 'www-authenticate'
 						},
 						agent: false,
 						rejectUnauthorized: true,
@@ -1030,7 +1032,7 @@ describe('Fetch', () => {
 			]);
 		});
 
-		it('Does not forward the headers "cookie", "authorization" or "www-authenticate" if request credentials are set to "same-origin" and the request goes do a different origin than the document.', async () => {
+		it('Does not forward "cookie" headers if request credentials are set to "same-origin" and the request goes do a different origin than the document.', async () => {
 			const originURL = 'https://localhost:8080';
 			const window = new Window({ url: originURL });
 			const url = 'https://other.origin.com/some/path';
@@ -1083,7 +1085,9 @@ describe('Fetch', () => {
 							'User-Agent': window.navigator.userAgent,
 							'Accept-Encoding': 'gzip, deflate, br',
 							Origin: originURL,
-							Referer: originURL + '/'
+							Referer: originURL + '/',
+							authorization: 'authorization',
+							'www-authenticate': 'www-authenticate'
 						},
 						agent: false,
 						rejectUnauthorized: true,

packages/happy-dom/test/fetch/SyncFetch.test.ts

@@ -1516,7 +1516,7 @@ describe('SyncFetch', () => {
 			);
 		});
 
-		it('Does\'nt forward the headers "cookie", "authorization" or "www-authenticate" if request credentials are set to "omit".', () => {
+		it('Does\'nt forward "cookie" headers if request credentials are set to "omit".', () => {
 			browserFrame.url = 'https://localhost:8080/';
 
 			const url = 'https://localhost:8080/some/path';
@@ -1561,14 +1561,16 @@ describe('SyncFetch', () => {
 						Connection: 'close',
 						Referer: 'https://localhost:8080/',
 						'User-Agent': window.navigator.userAgent,
-						'Accept-Encoding': 'gzip, deflate, br'
+						'Accept-Encoding': 'gzip, deflate, br',
+						authorization: 'authorization',
+						'www-authenticate': 'www-authenticate'
 					},
 					body: null
 				})
 			);
 		});
 
-		it('Does\'nt forward the headers "cookie", "authorization" or "www-authenticate" if request credentials are set to "same-origin" and the request goes do a different origin than the document.', () => {
+		it('Does\'nt forward "cookie" headers if request credentials are set to "same-origin" and the request goes do a different origin than the document.', () => {
 			const originURL = 'https://localhost:8080';
 
 			browserFrame.url = originURL;
@@ -1618,7 +1620,9 @@ describe('SyncFetch', () => {
 						'User-Agent': window.navigator.userAgent,
 						'Accept-Encoding': 'gzip, deflate, br',
 						Origin: originURL,
-						Referer: originURL + '/'
+						Referer: originURL + '/',
+						authorization: 'authorization',
+						'www-authenticate': 'www-authenticate'
 					},
 					body: null
 				})