Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reconsider and document redirect policy #518

Open
WofWca opened this issue Feb 7, 2025 · 0 comments
Open

Reconsider and document redirect policy #518

WofWca opened this issue Feb 7, 2025 · 0 comments

Comments

@WofWca
Copy link

WofWca commented Feb 7, 2025
edited
Loading

The problem

It looks like that by default the library uses the default HTTPClient:

websocket/dial.go

Lines 76 to 103 in d1468a7

if o.HTTPClient == nil {
o.HTTPClient = http.DefaultClient
}
if o.HTTPClient.Timeout > 0 {
ctx, cancel = context.WithTimeout(ctx, o.HTTPClient.Timeout)
newClient := *o.HTTPClient
newClient.Timeout = 0
o.HTTPClient = &newClient
}
if o.HTTPHeader == nil {
o.HTTPHeader = http.Header{}
}
newClient := *o.HTTPClient
oldCheckRedirect := o.HTTPClient.CheckRedirect
newClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
switch req.URL.Scheme {
case "ws":
req.URL.Scheme = "http"
case "wss":
req.URL.Scheme = "https"
}
if oldCheckRedirect != nil {
return oldCheckRedirect(req, via)
}
return nil
}
o.HTTPClient = &newClient

And the default HTTP client does follow redirects:

// If CheckRedirect is nil, the Client uses its default policy,
// which is to stop after 10 consecutive requests.

Edit: actually, doesn't the fact that we do specify a CheckRedirect function mean that we do not stop after 10 consecutive requests?

I am aware that it is possible to provide your own HTTPClient struct to the Dial() function, and it is nice to rely on built-in defaults, I think a WebSocket library should be more concrete in this regard. Especially given the fact that this particular one claims to be able to target WASM. And, according to the browser WebSocket spec, redirects are not followed:

redirect mode is "error"

The reason redirects are not followed and this handshake is generally restricted is because it could introduce serious security problems in a web browser context. For example, consider a host with a WebSocket server at one path and an open HTTP redirector at another. Suddenly, any script that can be given a particular WebSocket URL can be tricked into communicating to (and potentially sharing secrets with) any host on the internet, even if the script checks that the URL has the right hostname.

This IMO can be considered an inconsistency between different targets.
Note that changing redirect policy for the WASM version is not possible, according to this library's docs:

HTTPClient, HTTPHeader and CompressionMode in DialOptions are no-op

For reference, the WebSocket spec itself states:

the server might redirect the client using a 3xx status code (but clients are not required to follow them)

Also for reference, the Gorilla WebSocket library IMU does not follow redirects, see this issue: gorilla/websocket#965 and the code.

Suggested solution

  1. Document that the library follows redirects, but not in the WASM version.
  2. For the next version: Do not follow redirects by default, and document this.
    This can either be considered a breaking change (so it goes to v2.x.x), or a bug fix.

Related issue: #333
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@WofWca