Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document HSTS is still honored if allow_redirects=False #896

Closed
benoitc opened this issue Apr 7, 2020 · 3 comments · Fixed by #1110
Closed

Document HSTS is still honored if allow_redirects=False #896

benoitc opened this issue Apr 7, 2020 · 3 comments · Fixed by #1110
Labels
docs Changes to the documentation good first issue Good for newcomers
Milestone
v1.0

Comments

@benoitc
Copy link

benoitc commented Apr 7, 2020

I tried to disable the redirection with latest httpx but it is always redirection the URL:

>>> import httpx
>>> r = httpx.head("http://www.python.org",  allow_redirects=False)
>>> r.url
URL('https://www.python.org')

status code is also 200 and not 301 as expected.
@benoitc
Copy link
Author

benoitc commented Apr 7, 2020

so it's probably happening because the domain is using HSTS:

httpx/httpx/_client.py

Lines 213 to 222 in 94323f9

def merge_url(self, url: URLTypes) -> URL:
"""
Merge a URL argument together with any 'base_url' on the client,
to create the URL used for the outgoing request.
"""
url = self.base_url.join(relative_url=url)
if url.scheme == "http" and hstspreload.in_hsts_preload(url.host):
port = None if url.port == 80 else url.port
url = url.copy_with(scheme="https", port=port)
return url

I will leave it open as I expected that allow_redirects=False would prevent that. At least the current behaviour which is corrent could be documented :)

@florimondmanca florimondmanca added the docs Changes to the documentation label Apr 7, 2020
@florimondmanca florimondmanca changed the title error with allow_redirects=False Document HSTS is still honored if allow_redirects=False Apr 7, 2020
@florimondmanca
Copy link
Member

Thanks, just reproduced quickly locally and it does look like we're just honoring HSTS, but no HTTP redirection is being made. I think your suggestion to document this behavior makes sense, so I updated the issue title to reflect this…

@florimondmanca florimondmanca added the good first issue Good for newcomers label Apr 7, 2020
@florimondmanca
Copy link
Member

Here's the TRACE to confirm that no redirect was made, we just made the request using HTTPS in the first place:

$ HTTPX_LOG_LEVEL=trace python -m asyncio
>>> import httpx
>>> async with httpx.AsyncClient() as c:
...     r = await c.head('http://www.python.org', allow_redirects=False)
...
TRACE [2020-04-07 11:55:59] httpx._config - load_ssl_context verify=True cert=None trust_env=True http2=False
TRACE [2020-04-07 11:55:59] httpx._config - load_verify_locations cafile=/Users/florimond.manca/.pyenv/versions/3.8.1/lib/python3.8/site-packages/certifi/cacert.pem
TRACE [2020-04-07 11:55:59] httpx._dispatch.connection_pool - acquire_connection origin=Origin(scheme='https' host='www.python.org' port=443)
TRACE [2020-04-07 11:55:59] httpx._dispatch.connection_pool - new_connection connection=HTTPConnection(origin=Origin(scheme='https' host='www.python.org' port=443))
TRACE [2020-04-07 11:55:59] httpx._dispatch.connection - start_connect tcp host='www.python.org' port=443 timeout=Timeout(timeout=5.0)
TRACE [2020-04-07 11:55:59] httpx._dispatch.connection - connected http_version='HTTP/1.1'
TRACE [2020-04-07 11:55:59] httpx._dispatch.http11 - send_headers method='HEAD' target='/' headers=Headers({'host': 'www.python.org', 'user-agent': 'python-httpx/0.12.0', 'accept': '*/*', 'accept-encoding': 'gzip, deflate', 'connection': 'keep-alive'})
TRACE [2020-04-07 11:55:59] httpx._dispatch.http11 - send_data data=Data(<0 bytes>)
TRACE [2020-04-07 11:55:59] httpx._dispatch.http11 - receive_event event=NEED_DATA
TRACE [2020-04-07 11:56:00] httpx._dispatch.http11 - receive_event event=Response(status_code=200, headers=[(b'connection', b'keep-alive'), (b'content-length', b'49040'), (b'server', b'nginx'), (b'content-type', b'text/html; charset=utf-8'), (b'x-frame-options', b'DENY'), (b'via', b'1.1 vegur'), (b'via', b'1.1 varnish'), (b'accept-ranges', b'bytes'), (b'date', b'Tue, 07 Apr 2020 09:56:00 GMT'), (b'via', b'1.1 varnish'), (b'age', b'1149'), (b'x-served-by', b'cache-bwi5131-BWI, cache-cdg20742-CDG'), (b'x-cache', b'HIT, HIT'), (b'x-cache-hits', b'1, 7'), (b'x-timer', b'S1586253360.041811,VS0,VE0'), (b'vary', b'Cookie'), (b'strict-transport-security', b'max-age=63072000; includeSubDomains')], http_version=b'1.1', reason=b'OK')
DEBUG [2020-04-07 11:56:00] httpx._client - HTTP Request: HEAD https://www.python.org "HTTP/1.1 200 OK"
TRACE [2020-04-07 11:56:00] httpx._dispatch.http11 - receive_event event=EndOfMessage(headers=[])
TRACE [2020-04-07 11:56:00] httpx._dispatch.http11 - response_closed our_state=DONE their_state=DONE
TRACE [2020-04-07 11:56:00] httpx._dispatch.connection_pool - release_connection connection=HTTPConnection(origin=Origin(scheme='https' host='www.python.org' port=443))
TRACE [2020-04-07 11:56:00] httpx._dispatch.connection - close_connection
TRACE [2020-04-07 11:56:00] httpx._dispatch.http11 - send_event event=ConnectionClosed()

@florimondmanca florimondmanca mentioned this issue Jun 16, 2020
Closed
2 tasks
@florimondmanca florimondmanca mentioned this issue Jul 30, 2020
Closed
@tomchristie tomchristie added this to the v1.0 milestone Jul 30, 2020
@florimondmanca florimondmanca mentioned this issue Aug 1, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs Changes to the documentation good first issue Good for newcomers
Projects
None yet
Milestone
v1.0
Development

Successfully merging a pull request may close this issue.

Drop HSTS Preloading encode/httpx
3 participants
@benoitc @tomchristie @florimondmanca