Skip to content

fix(fetch): do not follow redirect if scheme is not an HTTP(S) scheme #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 18, 2024
Merged

fix(fetch): do not follow redirect if scheme is not an HTTP(S) scheme #62

merged 1 commit into from
Mar 18, 2024

Conversation

@jacob-ebey
Copy link
Member

@jacob-ebey jacob-ebey commented Mar 18, 2024

No description provided.

@changeset-bot
Copy link

changeset-bot bot commented Mar 18, 2024

🦋 Changeset detected

Latest commit: 25b5f62

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@remix-run/web-fetch Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

brophdawg11
brophdawg11 reviewed Mar 18, 2024
View reviewed changes
packages/fetch/src/fetch.js
return;
}

// HTTP-redirect fetch step 6 (counter increment)
Copy link

@brophdawg11 brophdawg11 Mar 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not from this PR but looks like some of the steps are invalid in here as the spec has evolved maybe? we could take a pass through in a separate PR some other time to get the comments updated

Suggested change
// HTTP-redirect fetch step 6 (counter increment)
// HTTP-redirect fetch step 7 (counter increment)

francisbeaudoin
francisbeaudoin reviewed Mar 18, 2024
View reviewed changes
packages/fetch/src/fetch.js

// https://fetch.spec.whatwg.org/#http-redirect-fetch
// 6. If locationURL’s scheme is not an HTTP(S) scheme, then return a network error.
if (locationURL.protocol !== 'http:' && locationURL.protocol !== 'https:') {
Copy link

@francisbeaudoin francisbeaudoin Mar 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This protocol check looks good, but we may also want to support a relative redirection as in an empty locationURL. e.g. Location: /home.

Copy link
Member Author

@jacob-ebey jacob-ebey Mar 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

locationURL is constructed based on the request URL and takes this into consideration already. Tests exist as well:

web-std-io/packages/fetch/src/fetch.js

Line 155 in 050356b

const locationURL = location === null ? null : new URL(location, request.url);

@jacob-ebey jacob-ebey merged commit 7a8596e into main Mar 18, 2024
@jacob-ebey jacob-ebey deleted the no-follow-scheme branch March 18, 2024 18:01
@MichaelDeBoey MichaelDeBoey changed the title fix: do not follow redirect if scheme is not an HTTP(S) scheme fix(fetch): do not follow redirect if scheme is not an HTTP(S) scheme Apr 7, 2025
MichaelDeBoey pushed a commit to MichaelDeBoey/web-std-io that referenced this pull request Apr 7, 2025
@jacob-ebey @MichaelDeBoey
fix: do not follow redirect if scheme is not an HTTP(S) scheme (remix…
6403147 
…-run#62)
@MichaelDeBoey MichaelDeBoey mentioned this pull request Apr 7, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brophdawg11 brophdawg11 brophdawg11 approved these changes

+1 more reviewer

@francisbeaudoin francisbeaudoin francisbeaudoin left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jacob-ebey @brophdawg11 @francisbeaudoin