#432: open http:// pathname doesn't follow redirects ------------------------------+-------------------------- Reporter: aruttenberg | Owner: mevenson Type: defect | Status: accepted Priority: blocker | Milestone: 1.5.0 Component: streams | Version: 1.5.0-dev Resolution: | Keywords: has-test uri Parent Tickets: | ------------------------------+--------------------------
Comment (by mevenson):
The {{{URL-PATHNAME}}} constructor is working again, which reveals a more basic problem in that {{{java.net.URLConnection}}} does not "follow" redirects across scheme change, i.e. {{{http://purl.obolibrary.org/obo/iao.owl%7D%7D%7D via scheme {{{http}}} redirects to {{{https://raw.githubusercontent.com/information-artifact- ontology/IAO/master/releases/2015-02-23/iao.owl}}} using scheme {{{https}}}.
Writing code to follow scheme changes across redirects is fairly trivial (see <http://stackoverflow.com/questions/1884230/urlconnection-doesnt- follow-redirect#1884427>) but there are security implications here in automatically following a redirect from a secure session to an insecure one in that request headers (which may contain sensitive information used for authentication/authorization) that one intends to keep secret may be revealed.
My preference here would be to allow ABCL to follow redirects from {{{http}}} to {{{https}}} but not vice-versa, but this may be confusing to the user.
What would be an appropriate way to inform the end-user of what redirects are being followed?
Should we set up configuration options on what sort of redirects we allow, i.e
|| REDIRECT_ALL || Follow all redirections || || REDIRECT_SECURELY || Never follow a redirection from a secure connection to an insecure one||
I need to consider what the right behavior should be here?
-- Ticket URL: http://abcl.org/trac/ticket/432#comment:7 armedbear http://abcl.org armedbear