Skip to content

fix(redirect): Allow credentials for HTTPS redirects in different domains #10258

Description

@Cheekie25

Solution

This patch improves the redirect credential handling to support legitimate SSO scenarios while maintaining security.

Changes

Replace the overly strict host/port matching with a smarter check:

  1. Allow HTTPS-to-HTTPS redirects regardless of domain (they're encrypted end-to-end)
  2. Only strip credentials for HTTP redirects to prevent leaking auth tokens in plaintext
  3. Still prevent HTTPS→HTTP downgrades (this was already checked at line 251)

Proposed Fix

// Line 279-288: Replace with:
bool isSafeRedirect = (redirectUrl.scheme() == QLatin1String("https")) 
                      && (requestedUrl.host() == redirectUrl.host() 
                          && requestedUrl.port() == redirectUrl.port());

if (!isSafeRedirect) {
    qCWarning(lcNetworkJob).nospace() << "redirect target mismatches origin or uses HTTP, removing credentials"
        << " origin=" << requestedUrl.scheme() << "://" << requestedUrl.host() << ":" << requestedUrl.port()
        << " target=" << redirectUrl.scheme() << "://" << redirectUrl.host() << ":" << redirectUrl.port();

    auto headers = request.headers();
    headers.removeAll(QHttpHeaders::WellKnownHeader::Authorization);
    request.setHeaders(headers);
    request.setAttribute(AbstractCredentials::DontAddCredentialsAttribute, true);
}

Why This Works

  • HTTPS redirects to different domains: Safe for SSO (transport-layer encryption protects credentials)
  • HTTP redirects: Credentials removed (plaintext exposure prevented)
  • HTTPS→HTTP downgrades: Caught by existing check at line 251, request won't reach this point
  • Same-origin redirects: Keep credentials as before

Testing

Should test with:

  1. OAuth2 redirect to different HTTPS domain ✅ (now works)
  2. HTTPS→HTTP redirect ✅ (still blocked)
  3. Same-origin redirect ✅ (still works)
  4. HTTP→HTTP cross-domain ✅ (credentials removed as before)

Fixes: Regression from commit 585b6ca

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions