- From: Christian Ramelow <notifications@github.com>
- Date: Wed, 15 Feb 2023 04:39:30 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/763/1431305657@github.com>
> That is by design: https://fetch.spec.whatwg.org/#atomic-http-redirect-handling. This feature is useful in combination with service workers. There's an example used to explain a security risk. One simply can use `curl` to get the URI with that secret mentioned. The server application can respond with secrets in such various ways without any redirect. Omitting the data of the redirects is just a drop in the bucket to prevent security leaks of server applications. Therefore the server application must be hardened. In the most cases the server application is my application. But in fact GET request can go anywhere to any 3rd-party server application in the WWW. I (the client) am not responsible for their security issues. It's not the client's responsibility. Any security measurements of the client's code should affect the client's security and not the server's one. But that mentioned specification ignores that fact at user's expense. I have use cases where I must prevent an auto-redirect while I have to set various additional headers and options before the redirect will be made. Omitting the redirect data makes it unpossible. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/763#issuecomment-1431305657 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/763/1431305657@github.com>
Received on Wednesday, 15 February 2023 12:39:42 UTC