Skip to content

Reconsider and document redirect policy #518

Open
@WofWca

Description

@WofWca

The problem

It looks like that by default the library uses the default HTTPClient:

websocket/dial.go

Lines 76 to 103 in d1468a7

if o.HTTPClient == nil {
o.HTTPClient = http.DefaultClient
}
if o.HTTPClient.Timeout > 0 {
ctx, cancel = context.WithTimeout(ctx, o.HTTPClient.Timeout)
newClient := *o.HTTPClient
newClient.Timeout = 0
o.HTTPClient = &newClient
}
if o.HTTPHeader == nil {
o.HTTPHeader = http.Header{}
}
newClient := *o.HTTPClient
oldCheckRedirect := o.HTTPClient.CheckRedirect
newClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
switch req.URL.Scheme {
case "ws":
req.URL.Scheme = "http"
case "wss":
req.URL.Scheme = "https"
}
if oldCheckRedirect != nil {
return oldCheckRedirect(req, via)
}
return nil
}
o.HTTPClient = &newClient

And the default HTTP client does follow redirects:

// If CheckRedirect is nil, the Client uses its default policy,
// which is to stop after 10 consecutive requests.

Edit: actually, doesn't the fact that we do specify a CheckRedirect function mean that we do not stop after 10 consecutive requests?

I am aware that it is possible to provide your own HTTPClient struct to the Dial() function, and it is nice to rely on built-in defaults, I think a WebSocket library should be more concrete in this regard. Especially given the fact that this particular one claims to be able to target WASM. And, according to the browser WebSocket spec, redirects are not followed:

redirect mode is "error"

The reason redirects are not followed and this handshake is generally restricted is because it could introduce serious security problems in a web browser context. For example, consider a host with a WebSocket server at one path and an open HTTP redirector at another. Suddenly, any script that can be given a particular WebSocket URL can be tricked into communicating to (and potentially sharing secrets with) any host on the internet, even if the script checks that the URL has the right hostname.

This IMO can be considered an inconsistency between different targets.
Note that changing redirect policy for the WASM version is not possible, according to this library's docs:

HTTPClient, HTTPHeader and CompressionMode in DialOptions are no-op


For reference, the WebSocket spec itself states:

the server might redirect the client using a 3xx status code (but clients are not required to follow them)

Also for reference, the Gorilla WebSocket library IMU does not follow redirects, see this issue: gorilla/websocket#965 and the code.

Suggested solution

  1. Document that the library follows redirects, but not in the WASM version.
  2. For the next version: Do not follow redirects by default, and document this.
    This can either be considered a breaking change (so it goes to v2.x.x), or a bug fix.

Related issue: #333

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions