jaikiran commented on pull request #173: URL: https://github.com/apache/ant/pull/173#issuecomment-1000029159
>Therefore I didn't change the default behavior to avoid breaking existing Ant scripts. This means, "authenticateOnRedirect" defaults to "true". But maybe it would be better to change this. I was leaning towards making this new `authenticateOnRedirect` to default to `false` to be more secure (i.e. don't set Authorization header to redirected URL unless explicitly asked to). That might break scripts but I think that's probably a good thing since it would force users to review their target URLs and decide if they really want to send the auth header on redirect for that specific URL. The only place where this would probably be a nuisance is if the redirect is happening just for the scheme. What I mean is if the original URL `http://example.com/foo` was redirecting to `https://example.com/foo`. Or even in some cases where servers redirect a URL of the form `http://example.com/foo` to `http://example.com/foo/` (slash at the end). So yes, I guess leaving the current backward compatible behaviour is OK. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
