Do not auto-follow 300 and 304 responses

RFC 9110 §15.4.5 defines 304 for conditional GET/HEAD, not as a normal redirect target, and RFC 9110 §13.2.2 points other methods to 412 instead. The simpler and safer boundary is to stop auto-following 304 entirely.

RFC 9110 §15.4.1 only says a user agent MAY use Location for automatic redirection on 300, so the simpler and safer boundary is to stop auto-following it. This also matches the Fetch and many other HTTP clients, which exclude 300.

Author: sindresorhus

source/core/index.ts

@@ -166,7 +166,7 @@ type StorageAdapter = KeyvStoreAdapter | KeyvType | Map<unknown, unknown>;
 
 const cacheableStore = new WeakableMap<string | StorageAdapter, CacheableRequestFunction>();
 
-const redirectCodes: ReadonlySet<number> = new Set([300, 301, 302, 303, 304, 307, 308]);
+const redirectCodes: ReadonlySet<number> = new Set([301, 302, 303, 307, 308]);
 const crossOriginStripHeaders = ['host', 'cookie', 'cookie2', 'authorization', 'proxy-authorization'] as const;
 const bodyHeaderNames = ['content-length', 'content-encoding', 'content-language', 'content-location', 'content-type'] as const;
 const transientWriteErrorCodes: ReadonlySet<string> = new Set(['EPIPE', 'ECONNRESET']);

test/redirects.ts

@@ -719,6 +719,84 @@ test('does not forward body on cross-origin permanent POST redirect by default',
 	});
 });
 
+test('does not follow 304 responses with a location header', withServer, async (t, server1, got) => {
+	await withServer.exec(t, async (t, server2) => {
+		let attackerHits = 0;
+
+		server1.post('/redirect', (_request, response) => {
+			response.writeHead(304, {
+				location: `http://localhost:${server2.port}/`,
+			});
+			response.end();
+		});
+
+		server2.post('/', async (request, response) => {
+			attackerHits++;
+
+			const chunks: Uint8Array[] = [];
+
+			for await (const chunk of request) {
+				chunks.push(Buffer.from(chunk));
+			}
+
+			response.end(JSON.stringify({
+				method: request.method,
+				body: Buffer.concat(chunks).toString(),
+				headers: request.headers,
+			}));
+		});
+
+		const response = await got.post('redirect', {
+			body: 'foobar',
+			throwHttpErrors: false,
+		});
+
+		t.is(response.statusCode, 304);
+		t.is(response.body, '');
+		t.deepEqual(response.redirectUrls, []);
+		t.is(attackerHits, 0);
+	});
+});
+
+test('does not follow 300 responses with a location header', withServer, async (t, server1, got) => {
+	await withServer.exec(t, async (t, server2) => {
+		let attackerHits = 0;
+
+		server1.post('/redirect', (_request, response) => {
+			response.writeHead(300, {
+				location: `http://localhost:${server2.port}/`,
+			});
+			response.end();
+		});
+
+		server2.post('/', async (request, response) => {
+			attackerHits++;
+
+			const chunks: Uint8Array[] = [];
+
+			for await (const chunk of request) {
+				chunks.push(Buffer.from(chunk));
+			}
+
+			response.end(JSON.stringify({
+				method: request.method,
+				body: Buffer.concat(chunks).toString(),
+				headers: request.headers,
+			}));
+		});
+
+		const response = await got.post('redirect', {
+			body: 'foobar',
+			throwHttpErrors: false,
+		});
+
+		t.is(response.statusCode, 300);
+		t.is(response.body, '');
+		t.deepEqual(response.redirectUrls, []);
+		t.is(attackerHits, 0);
+	});
+});
+
 test('preserves body on same-origin permanent POST redirect by default', withServer, async (t, server, got) => {
 	server.post('/redirect', (_request, response) => {
 		response.writeHead(301, {