The behavior of 301 and 302 redirects in the HTTPRequest node are not
standards-compliant. Specifically, requests using unsafe methods were not
being changed to GET and their headers were not being modified. This
means that we were automatically redirecting POST, PUT, etc. requests
with empty bodies and the same headers. This can pose a security risk if
the server expects 301/302 responses to get changed to GET or if the
user doesn't expect unsafe methods to be automatically redirected.
Per
[RFC9110](https://www.rfc-editor.org/rfc/rfc9110#name-redirection-3xx),
the correct behavior is to change the method to GET for 301 and 302
redirections and remove any content headers as well as those related to
security contexts like "Authorization: ".
I have made these changes, so now the 301 and 302 redirects should
change any unsafe methods to GET and remove any sensitive headers.
GET, HEAD, OPTIONS, and TRACE requests that receive a 301 or 302 are
automatically forwarded unchanged since those methods are safe.
Co-authored-by: Fabio Alessandrelli <fabio.alessandrelli@gmail.com>
This also makes errors related to asset image loading
verbose-only, because, frankly, users can't do much about
those errors. Spamming them with error messages
about some assets on the frontend being broken
is pointless.
Use a TLSOptions configuration object which is created via static
functions.
- "TLSOptions.client": uses the standard CA and common name verification.
- "TLSOptions.client_unsafe": uses optional CA verification (i.e. if specified)
- "TLSOptions.server": is the standard server configuration (chain + key)
This will allow us to expand the TLS configuration options to include
e.g. mutual authentication without bloating the classes that uses
StreamPeerTLS and PacketPeerDTLS as underlying peers.
As many open source projects have started doing it, we're removing the
current year from the copyright notice, so that we don't need to bump
it every year.
It seems like only the first year of publication is technically
relevant for copyright notices, and even that seems to be something
that many companies stopped listing altogether (in a version controlled
codebase, the commits are a much better source of date of publication
than a hardcoded copyright statement).
We also now list Godot Engine contributors first as we're collectively
the current maintainers of the project, and we clarify that the
"exclusive" copyright of the co-founders covers the timespan before
opensourcing (their further contributions are included as part of Godot
Engine contributors).
Also fixed "cf." Frenchism - it's meant as "refer to / see".
Decompress each body chunk over multiple iterations, this causes more
reallocations, but it ensures decompression will not fail no matter the
compression ratio.
* Adds proxy support for `HTTPRequest`.
* Adds `network/http_proxy/{host,port}` editor settings.
* Labeled as "HTTP Proxy" and it will be used for both HTTP and
HTTPS requests. This is the same convention as seen in Android
Studio's proxy settings.
* Makes Asset Library and Export Template Manager use proxy according to
the editor settings.
* Added a new macro SNAME() that constructs and caches a local stringname.
* Subsequent usages use the cached version.
* Since these use a global static variable, a second refcounter of static usages need to be kept for cleanup time.
* Replaced all theme usages by this new macro.
* Replace all signal emission usages by this new macro.
* Replace all call_deferred usages by this new macro.
This is part of ongoing work to optimize GUI and the editor.
We've been using standard C library functions `memcpy`/`memset` for these since
2016 with 67f65f6639.
There was still the possibility for third-party platform ports to override the
definitions with a custom header, but this doesn't seem useful anymore.
Splits the URL into (scheme, host, port, path).
Supports both literal IPv4 and IPv6.
Strip credentials when present (e.g. http://user:pass@example.com/).
Use that function in both HTTPRequest and WebSocketClient.
Dalton Lang
Hugo Locurcio
chocola-mint
BadMachine
kobewi
A Thousand Ships
Yufeng Ying
Haoyu Qiu
Yuri Sizov
Adam Scott
Samuele Panzeri
Fabio Alessandrelli
Rémi Verschelde
FireForge
bruvzg
Anilforextra
Max Hilbrunner
Nathan Franke
Aaron Franke
reduz
Lightning_A
Anshul7sp1