js · @angular/service-workerCritical
@angular/service-worker information disclosure on cross-origin redirects
On cross-origin redirects, the Service Worker fails to strip sensitive headers (e.
What changed
On cross-origin redirects, the Service Worker fails to strip sensitive headers (e.g., Authorization, Proxy-Authorization, cookies), violating the Fetch redirect algorithm.
Who it affects
Applications using @angular/service-worker that fetch assets with credential headers and may encounter cross-origin redirects.
What to do today
Update @angular/service-worker to patched version 22.0.1, 21.2.17, or 20.3.25 immediately.
The trail
Collected→
Audited→
Written→
Published