New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: Redirect Referer uses previous URL instead of Referer #44160
Comments
I can verify that Firefox 85.0 uses the original The header is overriden in refererForURL and the default HTTP client. First, it removes the header if we're going from https->http, which adheres to the spec, and afterwards it always substitutes the header with the last request URL, regardless of the incoming Referer. I think the spec is a little vague regarding what should happen in cases of redirects, but it does mention the following
My 2c is that we could add a condition inside One impact on current functionality, eg. for the following redirect chain Would it be okay for me to open a CL and continue the conversation there? Or should we wait for the cc'ed people to chime in? |
@tpaschalis It's generally better to have a discussion in the issue before writing significant code (see https://golang.org/doc/contribute.html#before_contributing). But you can send a CL sooner if isn't a lot of work and you feel it will help move the discussion forward or provide useful data. |
Change https://golang.org/cl/291636 mentions this issue: |
cc @neild |
This looks like a good fix. Sending the original referer is what all the browsers do even if the RFC is a bit vague so can we merge this? |
when can we merge this? |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
Consider the following code:
I've made a request to
http://google.com
which I know will be redirected and added aReferer
header. The tracing is added so I can see which headers are being sent per request.What did you expect to see?
The first request includes the
Referer
header set tohttps://github.com
.The second request had the
Referer
header set tohttp://google.com
What did you see instead?
I expected the second request to have the same
Referer
header as the first request (https://github.com
instead ofhttp://google.com
)I'm not sure what http clients are supposed to do, but cURL and Google Chrome both use the original
Referer
header for the second request.The text was updated successfully, but these errors were encountered: