Le mercredi 04 octobre 2023 à 00:30 +0200, Maxime Devos a écrit : > > > The best prevention is not allowing redirects at all or only > > allowing redirections that keep the hostname intact -- while > > an > > option for much software, it isn't an option for web > > browsers. > > Partially scratch that -- restricting to ‘keeping hostname intact’ is > insufficient, because there could be a DNS record that points > 'website > via http' to 127.0.0.1, and hence a redirect from https://website --> > http://website can change IP addresses from global Internet to local > computer.
But then, it is not a problem with resolve-relative-reference, and not even a risk with redirections; if the DNS changes before you query the page, then the secret page leaks anyway, no redirection needed. We could add a warning in the "http-request" method documentation, like: Be warned that if you are hosting a private HTTP(s) server on your system, a DNS change for a public target URI to your internal IP address, or following a redirection from a public target URI to your private server, may lead you to consider the response originating from your private server as public. Would that be a good summary? Vivien
