Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Redirections and port / http-https change
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Jicea via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 3 Oct 2025 18:28:33 +0000
Hi all,
I would like to have precision on redirections, I've tried to get it from the docs without success.
In https://curl.se/libcurl/c/CURLOPT_FOLLOWLOCATION.html:
> By default, libcurl only sends Authentication: or explicitly set Cookie: headers to the initial host given
> in the original URL, to avoid leaking username + password to other sites. CURLOPT_UNRESTRICTED_AUTH is provided to change that behavior.
My questions are about port and HTTPS/HTTP
- are the Authentication/Cookie headers filtered when ports change (even with the same hostname) ?
- are the Authentication/Cookie headers filtered when going from https:// to http:// ?
Contrary to the doc, in the code port / protocol seem to be taken into account (unless "host" in the doc stands for protocol + host + port ?)
/*
* Curl_auth_ollowed_to_host() tells if authentication, cookies or other
* "sensitive data" can (still) be sent to this host.
*/
bool Curl_auth_allowed_to_host(struct Curl_easy *data)
{
struct connectdata *conn = data->conn;
return !data->state.this_is_a_follow ||
data->set.allow_auth_to_other_hosts ||
(data->state.first_host &&
curl_strequal(data->state.first_host, conn->host.name) &&
(data->state.first_remote_port == conn->remote_port) &&
(data->state.first_remote_protocol == conn->handler->protocol));
}
Thanks!
Orange Restricted
____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
Date: Fri, 3 Oct 2025 18:28:33 +0000
Hi all,
I would like to have precision on redirections, I've tried to get it from the docs without success.
In https://curl.se/libcurl/c/CURLOPT_FOLLOWLOCATION.html:
> By default, libcurl only sends Authentication: or explicitly set Cookie: headers to the initial host given
> in the original URL, to avoid leaking username + password to other sites. CURLOPT_UNRESTRICTED_AUTH is provided to change that behavior.
My questions are about port and HTTPS/HTTP
- are the Authentication/Cookie headers filtered when ports change (even with the same hostname) ?
- are the Authentication/Cookie headers filtered when going from https:// to http:// ?
Contrary to the doc, in the code port / protocol seem to be taken into account (unless "host" in the doc stands for protocol + host + port ?)
/*
* Curl_auth_ollowed_to_host() tells if authentication, cookies or other
* "sensitive data" can (still) be sent to this host.
*/
bool Curl_auth_allowed_to_host(struct Curl_easy *data)
{
struct connectdata *conn = data->conn;
return !data->state.this_is_a_follow ||
data->set.allow_auth_to_other_hosts ||
(data->state.first_host &&
curl_strequal(data->state.first_host, conn->host.name) &&
(data->state.first_remote_port == conn->remote_port) &&
(data->state.first_remote_protocol == conn->handler->protocol));
}
Thanks!
Orange Restricted
____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-10-03