lib/mechanize/http/agent.rb in mechanize-2.8.4 vs lib/mechanize/http/agent.rb in mechanize-2.8.5

@@ -7,11 +7,12 @@
 # An HTTP (and local disk access) user agent.  This class is an implementation
 # detail and is subject to change at any time.
 
 class Mechanize::HTTP::Agent
 
-  CREDENTIAL_HEADERS = ['Authorization', 'Cookie']
+  CREDENTIAL_HEADERS = ['Authorization']
+  COOKIE_HEADERS = ['Cookie']
   POST_HEADERS = ['Content-Length', 'Content-MD5', 'Content-Type']
 
   # :section: Headers
 
   # Disables If-Modified-Since conditional requests (enabled by default)
@@ -996,13 +997,17 @@
     POST_HEADERS.each do |key|
       headers.delete_if { |h| h.casecmp?(key) }
     end
 
     # Make sure we clear credential headers if being redirected to another site
-    if new_uri.host != page.uri.host
-      CREDENTIAL_HEADERS.each do |ch|
-        headers.delete_if { |h| h.casecmp?(ch) }
+    if new_uri.host == page.uri.host
+      if new_uri.port != page.uri.port
+        # https://datatracker.ietf.org/doc/html/rfc6265#section-8.5
+        # cookies are OK to be shared across ports on the same host
+        CREDENTIAL_HEADERS.each { |ch| headers.delete_if { |h| h.casecmp?(ch) } }
       end
+    else
+      (COOKIE_HEADERS + CREDENTIAL_HEADERS).each { |ch| headers.delete_if { |h| h.casecmp?(ch) } }
     end
 
     fetch new_uri, redirect_method, headers, [], referer, redirects + 1
   end