[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#37187: 26.2; url-retrieve redirect lost Authorization headers
From: |
Lars Ingebrigtsen |
Subject: |
bug#37187: 26.2; url-retrieve redirect lost Authorization headers |
Date: |
Fri, 20 Sep 2019 22:36:18 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) |
Romain Ouabdelkader <romain.ouabdelkader@gmail.com> writes:
> I have an issue with the 'url-retrieve' function:
> If the target url returns a redirect, the 'Authorization' header is not
> sent on the redirect url.
This is apparently on purpose:
;; Do not automatically include an authorization header in the
;; redirect. If needed it will be regenerated by the relevant
;; auth scheme when the new request happens.
(setq url-http-extra-headers
(cl-remove "Authorization"
url-http-extra-headers :key 'car :test 'equal))
It's from this patch:
commit 325200ac1dcf5bed6918ea827d8a48d89487e083
Author: Thomas Fitzsimmons <fitzsim@fitzsim.org>
Date: Wed Sep 23 01:45:29 2015 -0400
Do not include authorization header in an HTTP redirect
* lisp/url/url-http.el (url-http-parse-headers): Do not
automatically include Authorization header in redirect.
(Bug#21350)
And I think that makes sense -- when there's a redirect, the domain may
be new, and the auth should perhaps not be sent there.
I've had a look at the standards, but I can't see that they say anything
about this, so I think that perhaps this works as it's supposed to. But
I haven't checked what Firefox does, for instance.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
- bug#37187: 26.2; url-retrieve redirect lost Authorization headers,
Lars Ingebrigtsen <=