New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ability to follow redirects #1490
Conversation
I would throw an error if changuing from HTTPS to HTTP to notify about security issues by default, and maybe add an option to disable it. |
We can but afaik none of the most popular HTTP libs (request, got, node-fetch, axios, etc.) do it. Accepting redirects has a lot of security implications, like open redirect attacks, or passing authorization headers when the hostname changes. It should be enabled only when the server is trusted. |
So do you think just lefting redirections as an opt-in is just enough? |
I don't know if it is enough, but it is the reason why I chose to not follow redirects by default. |
9dcda20
to
29fdffc
Compare
Great! Thank you :-) |
|
||
abortHandshake(this, req, `Unexpected server response: ${res.statusCode}`); | ||
initAsClient(websocket, addr, protocols, options); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the redirect address should be emitted in some way to allow tracking.
Known defects:
Fixes #812