HttpClient should drop authorization headers when following redirects to different hosts by default #47246
Labels
area-core-library
SDK core library issues (core, async, ...); use area-vm or area-web for platform specific libraries.
library-io
Comments
|
For reference, how curl deals with this :
|
lrhn
added
area-core-library
|
That's not only a security issue but a usability issue also. For example, if have a server with an authorization that redirects to S3 it leads to an error because S3 tries to use provided authorization header. We have faced it implementing dart packages repositories support in our tool and we weren't the first one https://stackoverflow.com/questions/63694476/how-to-remove-authorization-header-on-redirect-on-any-flutter-dart-http-client |
|
How the same security issue was addressed in Ktor HttpClient: ktorio/ktor@0c10815 |
|
Duplicate of #45410 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I can't find evidence in the standards to support this, but it seems to be standard practice to drop Authorization headers when handling a cross-origin redirect, to avoid leaking credentials when the host has been tricked into sending redirects somehow.
See e.g.
https://stackoverflow.com/questions/17092259/should-authorization-be-kept-when-redirection-is-handled
The text was updated successfully, but these errors were encountered: