mirror of https://github.com/godotengine/godot
9cb9c28c3c
The behavior of 301 and 302 redirects in the HTTPRequest node are not standards-compliant. Specifically, requests using unsafe methods were not being changed to GET and their headers were not being modified. This means that we were automatically redirecting POST, PUT, etc. requests with empty bodies and the same headers. This can pose a security risk if the server expects 301/302 responses to get changed to GET or if the user doesn't expect unsafe methods to be automatically redirected. Per [RFC9110](https://www.rfc-editor.org/rfc/rfc9110#name-redirection-3xx), the correct behavior is to change the method to GET for 301 and 302 redirections and remove any content headers as well as those related to security contexts like "Authorization: ". I have made these changes, so now the 301 and 302 redirects should change any unsafe methods to GET and remove any sensitive headers. GET, HEAD, OPTIONS, and TRACE requests that receive a 301 or 302 are automatically forwarded unchanged since those methods are safe. Co-authored-by: Fabio Alessandrelli <fabio.alessandrelli@gmail.com> |
||
|---|---|---|
| .. | ||
| SCsub | ||
| canvas_item.compat.inc | ||
| canvas_item.cpp | ||
| canvas_item.h | ||
| canvas_layer.cpp | ||
| canvas_layer.h | ||
| http_request.cpp | ||
| http_request.h | ||
| instance_placeholder.cpp | ||
| instance_placeholder.h | ||
| missing_node.cpp | ||
| missing_node.h | ||
| multiplayer_api.cpp | ||
| multiplayer_api.h | ||
| multiplayer_peer.cpp | ||
| multiplayer_peer.h | ||
| node.compat.inc | ||
| node.cpp | ||
| node.h | ||
| resource_preloader.cpp | ||
| resource_preloader.h | ||
| scene_tree.cpp | ||
| scene_tree.h | ||
| scene_tree_fti.cpp | ||
| scene_tree_fti.h | ||
| scene_tree_fti_tests.cpp | ||
| scene_tree_fti_tests.h | ||
| shader_globals_override.cpp | ||
| shader_globals_override.h | ||
| status_indicator.cpp | ||
| status_indicator.h | ||
| timer.cpp | ||
| timer.h | ||
| viewport.cpp | ||
| viewport.h | ||
| window.cpp | ||
| window.h | ||