From aeafd447263b22fa31f7b64c081dd00e3c9ecb2d Mon Sep 17 00:00:00 2001
From: Dmitry Gozman <dgozman@gmail.com>
Date: Tue, 30 Jan 2024 14:26:25 -0800
Subject: [PATCH] chore: strip Authorization header on ws redirect (#29246)

---
 packages/playwright-core/src/server/transport.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/packages/playwright-core/src/server/transport.ts b/packages/playwright-core/src/server/transport.ts
index 7fcdb92c12..6cefa270f8 100644
--- a/packages/playwright-core/src/server/transport.ts
+++ b/packages/playwright-core/src/server/transport.ts
@@ -114,8 +114,10 @@ export class WebSocketTransport implements ConnectionTransport {
     });
 
     if (result.redirect) {
-      // Strip access key headers from the redirected request.
-      const newHeaders = Object.fromEntries(Object.entries(headers || {}).filter(([name]) => !name.includes('access-key')));
+      // Strip authorization headers from the redirected request.
+      const newHeaders = Object.fromEntries(Object.entries(headers || {}).filter(([name]) => {
+        return !name.includes('access-key') && name.toLowerCase() !== 'authorization';
+      }));
       return WebSocketTransport._connect(progress, result.redirect.headers.location!, newHeaders, { follow: true, hadRedirects: true }, debugLogHeader);
     }