[Webkit-unassigned] [Bug 230935] Authorization header lost on 30x redirects
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Oct 4 12:13:15 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=230935
--- Comment #4 from Chris Dumez <cdumez at apple.com> ---
(In reply to Chris Dumez from comment #3)
> https://fetch.spec.whatwg.org/#concept-http-redirect-fetch says to use the
> same request as the original one except for the URL in this case.
>
> NetworkResourceLoader::willSendRedirectedRequest() gets called with a
> redirectRequest which already doesn't include the Authorization header so I
> guess it is not WebKit that's dropping it but likely CFNetwork under us?
I added logging inside:
- (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task willPerformHTTPRedirection:(NSHTTPURLResponse *)response newRequest:(NSURLRequest *)request completionHandler:(void (^)(NSURLRequest *))completionHandler;
And I see that the NSURLRequest provided by CFNetwork for the redirect is missing the Authorization header. I believe this confirms that CFNetwork is indeed dropping the header. I guess WebKit could add the authorization header back after getting the request from CFNetwork but it would feel a bit hacking. I am curious why CFNetwork would be dropping it.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211004/752379cf/attachment.htm>
More information about the webkit-unassigned
mailing list