Strip auth headers on cross-origin redirects

Changes

@@ -1,6 +1,14 @@
 Release notes for HTTP-Tiny
 
 {{$NEXT}}
+    [!!! SECURITY !!!]
+
+    - Caller-supplied C<Authorization>, C<Cookie>, and C<Proxy-Authorization>
+      headers are now stripped on cross-origin redirects by default. Use
+      allow_credentialed_redirects to opt out.
+
+    - Redirects are no longer automatically followed when going from https to http.
+      Use allow_downgrade to revert to the original behaviour.
 
 0.093     2026-05-11 17:18:12+02:00 Europe/Brussels (TRIAL RELEASE)
 

corpus/redirect-11.txt

@@ -0,0 +1,21 @@
+url
+  https://victim.example/secret
+expected
+  refused-redirect-body
+expected_url
+  https://victim.example/secret
+----------
+GET /secret HTTP/1.1
+Host: victim.example
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 302 Found
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/plain
+Content-Length: 21
+Location: http://victim.example/secret
+
+refused-redirect-body
+

corpus/redirect-12.txt

@@ -0,0 +1,36 @@
+url
+  https://victim.example/secret
+expected
+  success
+expected_url
+  http://victim.example/secret
+new_args
+  allow_downgrade: 1
+----------
+GET /secret HTTP/1.1
+Host: victim.example
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 302 Found
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/plain
+Content-Length: 8
+Location: http://victim.example/secret
+
+redirect
+
+----------
+GET /secret HTTP/1.1
+Host: victim.example
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 200 OK
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/plain
+Content-Length: 7
+
+success

corpus/redirect-13.txt

@@ -0,0 +1,35 @@
+url
+  https://example.com/index.html
+expected
+  abcdefghijklmnopqrstuvwxyz1234567890abcdef
+expected_url
+  https://example.com/index2.html
+----------
+GET /index.html HTTP/1.1
+Host: example.com
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 302 Found
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/html
+Content-Length: 53
+Location: https://example.com/index2.html
+
+<a href="https://example.com/index2.html">redirect</a>
+
+----------
+GET /index2.html HTTP/1.1
+Host: example.com
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 200 OK
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/plain
+Content-Length: 42
+
+abcdefghijklmnopqrstuvwxyz1234567890abcdef
+

corpus/redirect-14.txt

@@ -0,0 +1,35 @@
+url
+  http://example.com/index.html
+expected
+  abcdefghijklmnopqrstuvwxyz1234567890abcdef
+expected_url
+  https://example.com/index2.html
+----------
+GET /index.html HTTP/1.1
+Host: example.com
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 302 Found
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/html
+Content-Length: 53
+Location: https://example.com/index2.html
+
+<a href="https://example.com/index2.html">redirect</a>
+
+----------
+GET /index2.html HTTP/1.1
+Host: example.com
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 200 OK
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/plain
+Content-Length: 42
+
+abcdefghijklmnopqrstuvwxyz1234567890abcdef
+

corpus/redirect-15.txt

@@ -0,0 +1,57 @@
+url
+  http://victim.example/secret
+expected
+  pwned
+expected_url
+  http://victim.example/back
+headers
+  Authorization: Bearer SECRET-TOKEN
+  Cookie: session=SECRET-SESSION
+  Proxy-Authorization: Basic c2VjcmV0OnNlY3JldA==
+----------
+GET /secret HTTP/1.1
+Host: victim.example
+Authorization: Bearer SECRET-TOKEN
+Cookie: session=SECRET-SESSION
+Proxy-Authorization: Basic c2VjcmV0OnNlY3JldA==
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 302 Found
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/plain
+Content-Length: 8
+Location: http://attacker.example/loot
+
+redirect
+
+----------
+GET /loot HTTP/1.1
+Host: attacker.example
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 302 Found
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/plain
+Content-Length: 8
+Location: http://victim.example/back
+
+redirect
+
+----------
+GET /back HTTP/1.1
+Host: victim.example
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 200 OK
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/plain
+Content-Length: 5
+
+pwned
+

corpus/redirect-16.txt

@@ -0,0 +1,47 @@
+url
+  http://victim.example/secret
+expected
+  pwned
+expected_url
+  http://attacker.example/loot
+new_args
+  allow_credentialed_redirects: 1
+headers
+  Authorization: Bearer SECRET-TOKEN
+  Cookie: session=SECRET-SESSION
+  Proxy-Authorization: Basic c2VjcmV0OnNlY3JldA==
+----------
+GET /secret HTTP/1.1
+Host: victim.example
+Authorization: Bearer SECRET-TOKEN
+Cookie: session=SECRET-SESSION
+Proxy-Authorization: Basic c2VjcmV0OnNlY3JldA==
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 302 Found
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/plain
+Content-Length: 8
+Location: http://attacker.example/loot
+
+redirect
+
+----------
+GET /loot HTTP/1.1
+Host: attacker.example
+Authorization: Bearer SECRET-TOKEN
+Cookie: session=SECRET-SESSION
+Proxy-Authorization: Basic c2VjcmV0OnNlY3JldA==
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 200 OK
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/plain
+Content-Length: 5
+
+pwned
+

corpus/redirect-17.txt

@@ -0,0 +1,39 @@
+url
+  http://example.com/a
+expected
+  ok
+expected_url
+  http://example.com/b
+headers
+  Authorization: Bearer SECRET-TOKEN
+----------
+GET /a HTTP/1.1
+Host: example.com
+Authorization: Bearer SECRET-TOKEN
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 302 Found
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/plain
+Content-Length: 8
+Location: http://example.com/b
+
+redirect
+
+----------
+GET /b HTTP/1.1
+Host: example.com
+Authorization: Bearer SECRET-TOKEN
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 200 OK
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/plain
+Content-Length: 2
+
+ok
+

corpus/redirect-18.txt

@@ -0,0 +1,38 @@
+url
+  http://example.com:8080/foo
+expected
+  ok
+expected_url
+  http://example.com:8081/bar
+headers
+  Authorization: Bearer SECRET-TOKEN
+----------
+GET /foo HTTP/1.1
+Host: example.com:8080
+Authorization: Bearer SECRET-TOKEN
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 302 Found
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/plain
+Content-Length: 8
+Location: http://example.com:8081/bar
+
+redirect
+
+----------
+GET /bar HTTP/1.1
+Host: example.com:8081
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 200 OK
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/plain
+Content-Length: 2
+
+ok
+

corpus/redirect-19.txt

@@ -0,0 +1,40 @@
+url
+  https://example.com:8443/foo
+expected
+  ok
+expected_url
+  http://example.com:8443/foo
+new_args
+  allow_downgrade: 1
+headers
+  Authorization: Bearer SECRET-TOKEN
+----------
+GET /foo HTTP/1.1
+Host: example.com:8443
+Authorization: Bearer SECRET-TOKEN
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 302 Found
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/plain
+Content-Length: 8
+Location: http://example.com:8443/foo
+
+redirect
+
+----------
+GET /foo HTTP/1.1
+Host: example.com:8443
+Connection: close
+User-Agent: HTTP-Tiny/VERSION
+
+----------
+HTTP/1.1 200 OK
+Date: Thu, 03 Feb 1994 00:00:00 GMT
+Content-Type: text/plain
+Content-Length: 2
+
+ok
+