net/http: copy headers when following redirects #4800
Comments
I see nothing either way in: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3 On one hand, it seems sane to copy all the headers when following a redirect. On the other hand, what if one of those headers is "Authorization" and it contains credentials you don't want to pass along to another party? I don't know the answer. I'm curious what other implementations do. |
Copy/paste of an internal G+ comment I got about this: ----------- As per these threads, it's not totally specified by HTTP itself: http://lists.w3.org/Archives/Public/ietf-http-wg/2011AprJun/0489.html http://lists.w3.org/Archives/Public/ietf-http-wg/2011JulSep/0014.html See HTML which specifies some part of it: http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html """ First, apply any relevant requirements for redirects (such as showing any appropriate prompts). Then, redo main step, but using the target of the redirect as the resource to fetch, rather than the original resource. For HTTP requests, the new request must include the same headers as the original request, except for headers for which other requirements are specified (such as the Host header). [HTTP] """ As far as Chrome's HTTP stack, we only preserve embedder headers. Here's the algorithm: * Embedder (Chrome/WebKit) specifies "extra" request headers in the URL request. A URL request follows HTTP redirects, so since these are tied to the URL request, they are sent on all HTTP requests. * All other headers are generated internally during HTTP processing: - At the HTTP transaction level (actually, in URLRequestHttpJob), we add some headers, like cookies. - At the network transaction level, we generate the Host header and others. This is also the level at which we do authorization. We re-run the authorization algorithm there, which includes querying our auth cache and re-applying a token if applicable. |
|
Issue #5782 has been merged into this issue. |
|
Issue #7801 has been merged into this issue. |
|
Issue #8027 has been merged into this issue. |
|
Comment 16 by steven.hartland@multiplay.co.uk: Just hit this with our code, specifically not preserving the range request headers which means it prevents any sort of attempt to process ranged downloads unless a custom transport / client is written :( |
|
Comment 17 by steven.hartland@multiplay.co.uk: @ alberto from #5 do you have your proposed patch hosted somewhere we can look at? |
I've just hit this issue when using cookies against http.ServeMux. The cookies are lost when the ServeMux redirects. Here's an example of it happening: http://play.golang.org/p/sMzbiLDm2i and here's a simple workaround: http://play.golang.org/p/JiGekzeAAY |
I don't think we need to enforce the headers to redirects. It's totally doable with CheckRedirect... I use this for my personal API calls and http request. Works well. https://github.com/gyuho/gon/blob/master/httpclient/httpclient.go#L72 |
|
Just got bitten by this one. I was implementing an REST client to eventbrite and if I don't specify a trailing slash after a resource, eventbrite will redirect to the slashed version. However, this means that all the auth headers get dropped, and the redirected GET fails. Wouldn't it be possible/worthwhile to check if the redirect refers to the same host, and copy the headers in such cases? |
This ensures things like our custom UserAgent get preserved if the server does a redirect (my mirror enforces SSL, for example). See golang/go#4800 Code cribbed from gyuho/gon
|
Also just been bitten by this, calling an API with an Authorization header, and the API does a redirect. I can't avoid the redirect, the API implements a The suggestion of implementing a solution similar to cURL wherein headers are retained for redirects on the same host (and scheme would be wise too) is a good one. This is go1.7 btw. |
|
Any updates? This bug can confuse Go newbies. For example, if one uses Reddit API and, having set a unique User-Agent, issues GET requests to, say, https://reddit.com/r/golang/top.json, one will get 429 Too Many Requests most of the time, because reddit.com redirects to www.reddit.com and User-Agent is quietly replaced upon redirect by |
|
I ran on an issue related to this with talks.godoc.org Details: golang/gddo#440 |
|
CL https://golang.org/cl/28930 mentions this issue. |
|
CL https://golang.org/cl/31435 mentions this issue. |
In the situation where the Client.Jar is set and the Request.Header has cookies manually inserted, the redirect logic needs to be able to apply changes to cookies from "Set-Cookie" headers to both the Jar and the manually inserted Header cookies. Since Header cookies lack information about the original domain and path, the logic in this CL simply removes cookies from the initial Header if any subsequent "Set-Cookie" matches. Thus, in the event of cookie conflicts, the logic preserves the behavior prior to change made in golang.org/cl/28930. Fixes #17494 Updates #4800 Change-Id: I645194d9f97ff4d95bd07ca36de1d6cdf2f32429 Reviewed-on: https://go-review.googlesource.com/31435 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
BACKWARDS INCOMPATIBILITIES: - Child process reaping support has been removed, along with the reap configuration option. - The default for max_stale has been increased to a near-indefinite threshold (10 years) to allow DNS queries to continue to be served in the event of a long outage with no leader. - The api package's PreparedQuery.Delete() method now takes WriteOptions instead of QueryOptions. FEATURES: - Key/Value Store Command Line Interface: New consul kv commands were added for easy access to all basic key/value store operations. - Snapshot/Restore: A new /v1/snapshot HTTP endpoint and corresponding set of consul snapshot commands were added for easy point-in-time snapshots for disaster recovery. - AWS auto-discovery: New -retry-join-ec2 configuration options added to allow bootstrapping by automatically discovering AWS instances with a given tag key/value at startup. IMPROVEMENTS: - api: All session options can now be set when using api.Lock(). - agent: Added the ability to bind Serf WAN and LAN to different interfaces than the general bind address. - agent: Added a new tls_skip_verify configuration option for HTTP checks. - agent: Consul is now built with Go 1.7.3. BUG FIXES: - agent: Fixed a Go race issue with log buffering at startup. - agent: Fixed a panic during anti-entropy sync for services and checks. - agent: Fixed an issue on Windows where "wsarecv" errors were logged when CLI commands accessed the RPC interface. - agent: Syslog initialization will now retry on errors for up to 60 seconds to avoid a race condition at system startup. - agent: Fixed a panic when both -dev and -bootstrap-expect flags were provided. - agent: Added a retry with backoff when a session fails to invalidate after expiring. - agent: Fixed an issue where Consul would fail to start because of leftover malformed check/service state files. - agent: Fixed agent crashes on macOS Sierra by upgrading Go. - agent: Log a warning instead of success when attempting to deregister a nonexistent service. - api: Trim leading slashes from keys/prefixes when querying KV endpoints to avoid a bug with redirects in Go 1.7 (golang/go#4800). - dns: Fixed external services that pointed to consul addresses (CNAME records) not resolving to A-records. - dns: Fixed an issue with SRV lookups where the service address was different from the node's. - dns: Fixed an issue where truncated records from a recursor query were improperly reported as errors. - server: Fixed the port numbers in the sample JSON inside peers.info. - server: Squashes ACL datacenter name to lower case and checks for proper formatting at startup. - ui: Fixed an XSS issue with the display of sessions and ACLs in the web UI.
Since original issue was fixed with GoLang release 1.8 (golang/go#4800), GWC will no longer fix broken behaviour from earlier versions of GoLang. If needed, users of GWC might implement similar solution on their own and provide custom instance of http.Client to GWC upon creation.
The text was updated successfully, but these errors were encountered: