Solution
This patch improves the redirect credential handling to support legitimate SSO scenarios while maintaining security.
Changes
Replace the overly strict host/port matching with a smarter check:
- Allow HTTPS-to-HTTPS redirects regardless of domain (they're encrypted end-to-end)
- Only strip credentials for HTTP redirects to prevent leaking auth tokens in plaintext
- Still prevent HTTPS→HTTP downgrades (this was already checked at line 251)
Proposed Fix
// Line 279-288: Replace with:
bool isSafeRedirect = (redirectUrl.scheme() == QLatin1String("https"))
&& (requestedUrl.host() == redirectUrl.host()
&& requestedUrl.port() == redirectUrl.port());
if (!isSafeRedirect) {
qCWarning(lcNetworkJob).nospace() << "redirect target mismatches origin or uses HTTP, removing credentials"
<< " origin=" << requestedUrl.scheme() << "://" << requestedUrl.host() << ":" << requestedUrl.port()
<< " target=" << redirectUrl.scheme() << "://" << redirectUrl.host() << ":" << redirectUrl.port();
auto headers = request.headers();
headers.removeAll(QHttpHeaders::WellKnownHeader::Authorization);
request.setHeaders(headers);
request.setAttribute(AbstractCredentials::DontAddCredentialsAttribute, true);
}
Why This Works
- HTTPS redirects to different domains: Safe for SSO (transport-layer encryption protects credentials)
- HTTP redirects: Credentials removed (plaintext exposure prevented)
- HTTPS→HTTP downgrades: Caught by existing check at line 251, request won't reach this point
- Same-origin redirects: Keep credentials as before
Testing
Should test with:
- OAuth2 redirect to different HTTPS domain ✅ (now works)
- HTTPS→HTTP redirect ✅ (still blocked)
- Same-origin redirect ✅ (still works)
- HTTP→HTTP cross-domain ✅ (credentials removed as before)
Fixes: Regression from commit 585b6ca
Solution
This patch improves the redirect credential handling to support legitimate SSO scenarios while maintaining security.
Changes
Replace the overly strict host/port matching with a smarter check:
Proposed Fix
Why This Works
Testing
Should test with:
Fixes: Regression from commit 585b6ca