Assert HTTPS through redirects on client request (GET, POST, ...) #3416
Comments
|
GitMate.io thinks the contributor most likely able to help you is @asvetlov. Possibly related issues are #3390 (redirects?), #1557 (POST request always follow redirects), #141 (body for HTTP GET request), #3082 ([client] 301 in POST gets redirected to GET), and #852 (Http client HEAD request failed to release). |
|
You can achieve the same result right now without waiting for a new feature. |
|
@asvetlov I think you can delete the labels since it is not a bug or enhancement issue. |
|
Well, it is not a bug but a possible request for an enhancement. |
|
I think it's impossible to automatically ensure such case. Web server can be doing such redirects conditionally and even if we'll send pre-flight HEAD request it doesn't guarantee that the server's behavior will be redirecting to https. There's no way to check this without sending an actual request with actual data. I'm not sure whether this feature should be in the framework but if yes, I'd add a flag as forbid_insecure or forbid_http probably. Insecure version is better because it has a potential to be extended to non-http protocols. Like ws vs. wss. |
Yeah. Just like https://www.chromium.org/hsts, and it's different from 301. |
|
In other words, aiohttp client should raise an exception if secure mode is requested and the connection is not protected. Any champion for the feature? |
|
Hello. I also have an interest in this feature and can attempt to implement it.
I may be oversimplifying the issue, but restricting the schemes accepted by the r_url should solve this, no? Lines 479 to 481 in 66d1f9c What would be the necessity for a pre-flight HEAD request? |
|
I suggest checking |
Something like this? Lines 402 to 404 in 66d1f9c if redirects > 0 and forbid_insecure and conn.transport.get_extra_info("sslcontext") is None:
raise InsecureRedirect() |
|
Yes, but without Minor neat: |
https://tools.ietf.org/html/rfc6797 |
|
@yjqiang please elaborate |
Ok. Edited. |
Fair point
I support the idea of implementing hsts... Would you guys mind if I open a pull request with the mentioned changes? |
|
@HeavenVolkoff "The policy is declared by websites via the Strict-Transport-Security HTTP response header field and/or by other means, such as user agent configuration, for example." So maybe we need to handle it when the server returns hsts response? |
|
I think implementing HSTS spec would be an important security feature to aiohttp. However, after understanding it a bit better, I do not see it as being a solution for this feature request. If what I understood from @Raphael-C-Almeida request is correct. What he (and I, for that matter) want is some form of enforcement to prevent cases when the webserver, being contacted through tls, sends a redirect status code to another insecure URL (eg. http://foo.bar). HSTS would not prevent this as it protects only against insecure access of secure-only domains and sub-domains that could lead to data leak or become a phishing entrypoint. @Raphael-C-Almeida is my understanding of your request correct? |
You are right. HSTS only supports when we are at the same domain. And the feature request from @Raphael-C-Almeida is that we should keep tls while redirecting.(eg: url_from_google_result -> actual_url) |
Maybe "tls_redirects" is more readable? We ensure that during redirections, every point is url with https. |
|
Yes @HeavenVolkoff this is what I meant. It's not exactly HTST. About the name, @yjqiang, I think the aiohttp user should be able to restrict the connection to a secure one even for in case where no redirects happen, so I think that something like @asvetlov also commented about that a few posts above: #3416 (comment) |
|
@Raphael-C-Almeida But the way we are going to use is just forbidding http redirection and http requests. Maybe there will be other ways to hack it? So it is not good for "forbid_insecure". |
|
Makes sense. |
|
IMHO |
|
The proposal is forbidding not SSL/TSL transport. The intention is clear, the implementation is obvious. |
|
The modern thing is called TLS, SSL is a deprecated: https://tools.ietf.org/html/rfc7568 |
Yes, I know. Just saying that aiohttp and Python still use the term |
|
@HeavenVolkoff actually, there's a PEP with is seeking to fix that https://www.python.org/dev/peps/pep-0543/ |
I need to send some critical data on a post request, but the URL is given by a client, so I need to ensure that the data will be sent under SSL. I check the URL for https schema, but if the host send me 301 and redirect to an HTTP website my data will be sent through an insecure channel.
I think it would be nice if I could set "ensure_https" or "ensure_ssl" on a post request for example. If the host redirected me from https to http and "ensure_https" was set, it should raise an exception.
The text was updated successfully, but these errors were encountered: