Skip to content

compare scheme in redirect same-authority check#848

Open
dxbjavid wants to merge 1 commit into
apache:masterfrom
dxbjavid:redirect-scheme-authority
Open

compare scheme in redirect same-authority check#848
dxbjavid wants to merge 1 commit into
apache:masterfrom
dxbjavid:redirect-scheme-authority

Conversation

@dxbjavid

Copy link
Copy Markdown
Contributor

DefaultRedirectStrategy decides whether to keep the Authorization and Cookie headers on a redirect by comparing the current and new targets, but isSameAuthority only looks at the host name and the resolved port and leaves the scheme out. A response that redirects from https to http on the same host and the same explicit port, say https://host:8443/ to http://host:8443/, is treated as the same origin, so those credentials are retained and end up being sent in the clear. I've added the scheme to that comparison so a cross-scheme downgrade counts as a different origin and the sensitive headers are stripped as they already are for a different host or port.

if (h1 == null || h2 == null) {
return false;
}
if (!h1.getSchemeName().equalsIgnoreCase(h2.getSchemeName())) {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A scheme change makes the origins different, but does not by itself require rejecting the redirect.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed, and that's the intent here. the scheme mismatch only marks the origins as different, it doesn't reject the redirect on its own. an https to http hop still goes through unless there's an authorization or cookie header to protect, exactly as it already behaves for a differing host or port. the last assertion in the added test covers the plain https to http redirect staying allowed.

@arturobernalg arturobernalg Jul 14, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough. Still, this changes the boundary from authority to origin and extends the existing rejection policy to scheme changes. That needs a clear rationale, and the method should be renamed to isSameOrigin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants