1

I'm trying to make sense of the docs located at:

https://developer.mozilla.org/en-US/docs/Web/API/Response/redirected

It says

Note: Relying on redirected to filter out redirects makes it easy for a forged redirect to prevent your content from working as expected. Instead, you should do the filtering when you call fetch(). See the example Disallowing redirects, which shows this being done.

and

Because using redirected to manually filter out redirects can allow forgery of redirects, you should instead set the redirect mode to "error" in the init parameter when calling fetch(), like this:

Is it really possible to forge the redirected property on a fetch response somehow and how is that done? If not then what vulnerability is this talking about?

asked Nov 17, 2023 at 21:35
6
  • This might be in reference to Server Side Request Forgery attacks although I would need to do more research on this topic. Commented Nov 18, 2023 at 0:54
  • I don't think they are talking about faking the redirected property. I'm pretty sure they are talking about some sort of vulnerability in how servers redirect some requests, although I'm not sure how disallowing redirects is safer than checking this in your code... Commented Nov 18, 2023 at 0:59
  • Response.redirect is not what gets forged, it's request redirections. fetch() options also supports the property redirect which sets the strategy (allow/follow redirects, reject or manual handling). The post is aiming you to don't check/assert redirections when they already happened, instead choose the proper strategy when calling fetch() Commented Nov 18, 2023 at 9:32
  • @Laiv What does that mean when you say request redirections get forged? Commented Nov 22, 2023 at 17:01
  • Browser#fetch sends a request to point A, but it gets a response generated by point Z. Browser's response object informs about this redirection via Response.redirected. In other words, by the time the browser gets the response, all the redirections (if any) already happened. In other to avoid fetching responses generated by redirections, fetch() implements different redirection policies. One of them (error) will reject any response generated by redirections. Commented Nov 22, 2023 at 17:51

0

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.