From 0f0dec5f32f1d50dd84ee405b6d5c88f26f53262 Mon Sep 17 00:00:00 2001 From: Martin Algesten Date: Fri, 17 Dec 2021 20:49:10 +0100 Subject: [PATCH] Fixes after feedback --- src/agent.rs | 8 +++++--- src/unit.rs | 5 ++++- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/agent.rs b/src/agent.rs index 9728c7e..6add8eb 100644 --- a/src/agent.rs +++ b/src/agent.rs @@ -20,14 +20,16 @@ use { /// /// `Never` is the default strategy and never preserves `authorization` header in redirects. /// `SameHost` send the authorization header in redirects only if the host of the redirect is -/// the same of the previous request, and both use the `https` scheme. +/// the same of the previous request, and both use the same scheme (or switch to a more secure one, i.e +/// we can redirect from `http` to `https`, but not the reverse). #[derive(Debug, Clone, PartialEq, Eq)] #[non_exhaustive] pub enum RedirectAuthHeaders { /// Never preserve the `authorization` header on redirect. This is the default. Never, - /// Preserve the `authorization` header when the redirect is to the same host. Must - /// be under the `https` scheme (though port can differ). + /// Preserve the `authorization` header when the redirect is to the same host. Both hosts must use + /// the same scheme (or switch to a more secure one, i.e we can redirect from `http` to `https`, + /// but not the reverse). SameHost, } diff --git a/src/unit.rs b/src/unit.rs index d06e183..bb2c9d5 100644 --- a/src/unit.rs +++ b/src/unit.rs @@ -383,7 +383,10 @@ fn can_propagate_authorization_on_redirect( let prev_host = prev_url.host_str(); let prev_is_https = scheme_is_https(prev_url); - host == prev_host && prev_is_https && is_https + let same_scheme_or_more_secure = + is_https == prev_is_https || (!prev_is_https && is_https); + + host == prev_host && same_scheme_or_more_secure } } }