From 64daac1f98fb4c8ee2e0b7ad429c6e337d44b47d Mon Sep 17 00:00:00 2001
From: Kiko Beats <josefrancisco.verdu@gmail.com>
Date: Tue, 11 Oct 2022 11:18:59 +0200
Subject: [PATCH] fix: don't delete headers in a redirect

---
 packages/runtime/src/edge-runtime.ts        |  8 +++--
 packages/runtime/tests/edge-runtime.test.ts | 40 +++++++++++++++++++++
 2 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/packages/runtime/src/edge-runtime.ts b/packages/runtime/src/edge-runtime.ts
index 46ccde79..3f3ab202 100644
--- a/packages/runtime/src/edge-runtime.ts
+++ b/packages/runtime/src/edge-runtime.ts
@@ -152,9 +152,11 @@ function getDispatchFetchCode() {
 
       response.waitUntil = () => Promise.all(event.awaiting);
 
-      response.headers.delete('content-encoding');
-      response.headers.delete('transform-encoding');
-      response.headers.delete('content-length');
+      if (response.status < 300 || response.status >= 400 ) {
+        response.headers.delete('content-encoding');
+        response.headers.delete('transform-encoding');
+        response.headers.delete('content-length');
+      }
 
       return response;
     }
diff --git a/packages/runtime/tests/edge-runtime.test.ts b/packages/runtime/tests/edge-runtime.test.ts
index f1e96ac8..271f48d4 100644
--- a/packages/runtime/tests/edge-runtime.test.ts
+++ b/packages/runtime/tests/edge-runtime.test.ts
@@ -14,6 +14,46 @@ beforeAll(async () => {
   ;({ EdgeRuntime } = await import('../src/edge-runtime'))
 })
 
+test("don't expose servers headers", async () => {
+  const runtime = new EdgeRuntime()
+
+  runtime.evaluate(`
+    addEventListener("fetch", (event) => {
+      event.respondWith(new Response('success', {
+        headers: {
+          'content-encoding': 'gzip',
+          'transform-encoding': 'compress',
+          'content-length': 7
+        }
+      }))
+    })
+  `)
+
+  const res = await runtime.dispatchFetch('https://localhost.com')
+  expect(res.status).toBe(200)
+  expect(await res.text()).toBe('success')
+  expect(Array.from(res.headers)).toEqual([
+    ['content-type', 'text/plain;charset=UTF-8'],
+  ])
+})
+
+test("don't expose servers headers in a redirect", async () => {
+  const runtime = new EdgeRuntime()
+
+  runtime.evaluate(`
+    addEventListener("fetch", (event) => {
+      event.respondWith(Response.redirect(new URL('https://example.vercel.sh')));
+    })
+  `)
+
+  const res = await runtime.dispatchFetch('https://localhost.com')
+
+  expect(Array.from(res.headers)).toEqual([
+    ['location', 'https://example.vercel.sh/'],
+  ])
+  expect(res.status).toBe(302)
+})
+
 test('allows to add FetchEvent handlers', async () => {
   const runtime = new EdgeRuntime()