#432: open http:// pathname doesn't follow redirects ------------------------------+-------------------------- Reporter: aruttenberg | Owner: mevenson Type: defect | Status: accepted Priority: blocker | Milestone: 1.5.0 Component: streams | Version: 1.5.0-dev Resolution: | Keywords: has-test uri Parent Tickets: | ------------------------------+-------------------------- Comment (by mevenson): The {{{URL-PATHNAME}}} constructor is working again, which reveals a more basic problem in that {{{java.net.URLConnection}}} does not "follow" redirects across scheme change, i.e. {{{http://purl.obolibrary.org/obo/iao.owl}}} via scheme {{{http}}} redirects to {{{https://raw.githubusercontent.com/information-artifact- ontology/IAO/master/releases/2015-02-23/iao.owl}}} using scheme {{{https}}}. Writing code to follow scheme changes across redirects is fairly trivial (see <http://stackoverflow.com/questions/1884230/urlconnection-doesnt- follow-redirect#1884427>) but there are security implications here in automatically following a redirect from a secure session to an insecure one in that request headers (which may contain sensitive information used for authentication/authorization) that one intends to keep secret may be revealed. My preference here would be to allow ABCL to follow redirects from {{{http}}} to {{{https}}} but not vice-versa, but this may be confusing to the user. What would be an appropriate way to inform the end-user of what redirects are being followed? Should we set up configuration options on what sort of redirects we allow, i.e || REDIRECT_ALL || Follow all redirections || || REDIRECT_SECURELY || Never follow a redirection from a secure connection to an insecure one|| I need to consider what the right behavior should be here? -- Ticket URL: <http://abcl.org/trac/ticket/432#comment:7> armedbear <http://abcl.org> armedbear