1

Closed

RedirectValidationMiddleware should support protocol switching

description

The PostInvokeNext method determines the requestAuthority to be port + host so that redirection validation can ignore redirect requests to the same host. This fails when redirection is from http://host to https:// host. It would be handy to include a flag for whether the protocol + host is validated or just host.

My issue here is that I have the same build that can be deployed to multiple environments. I don't want to dirty up my OWIN configuration with all possible targets (which could in itself allow a bug if code redirects between environments for some misconfiguration reason).
Closed Oct 7, 2014 at 7:48 PM by klings
Fixed in today's NWebsec release.

comments

klings wrote Sep 26, 2014 at 10:09 PM

Uhm, Codeplex totally messed up the previous comment. I'll delete it and give it another try.

I'm thinking of adding a configuration method along the lines of
AllowSameHostHttpsRedirects(params int[] ports)
If no parameters are supplied, it would assume default port. Would that sort out your scenario?

This should handle the case of varying hostnames across environments and also make it easy to allow redirects for applications running on HTTPS on non-standard ports.

rprimrose wrote Sep 27, 2014 at 3:40 AM

Yep, that looks like a good idea.

klings wrote Oct 7, 2014 at 7:47 PM

You can now allow same host https redirects through a new configuration method. Thank your for reporting this!