Redirect URL: use relative PATH or correct protocol sheme
Identified for the moment on the Adullact service:
- an HTTP redirection (instead of HTTPS) is done after the login form
- one of the CSP rules (currently managed by Apache), blocks this redirection on Chrome
- Firefox does not block this redirection (the browser always uses HTTPS even if the redirection is in HTTP)
- a difference between the Asqatasun v5 server (Adullact service) and the Asqatasun v4 server (.org) seems to exist at the level of redirection:
- Asqatasun v4 (.org) ---> redirection with relative URL:
Location /dispatch.html
- Asqatasun v5 (Adullact) ---> redirection with absolute URL :
Location http://.../home.html
- Asqatasun v4 (.org) ---> redirection with relative URL:
What is the current bug behavior?
With an Apache reverse proxy configured like this:
<IfModule mod_ssl.c>
<VirtualHost *:443>
...
## SSL directives
SSLEngine on
...
Include /etc/letsencrypt/options-ssl-apache.conf
# SSL Proxy directives
SSLProxyEngine On
SSLProxyVerify none
## Request header rules
## as per http://httpd.apache.org/docs/2.2/mod/mod_headers.html#requestheader
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
## Proxy rules
ProxyRequests Off
ProxyPreserveHost on
ProxyPass / http://127.0.0.1:8080/ Keepalive=On timeout=120
ProxyPassReverse / http://127.0.0.1:8080/
ProxyPassReverseCookiePath / /
#ProxyPassMatch ^/External-Images/http://(.*)$ http://$1
#ProxyPassMatch ^/External-Images/https://(.*)$ https://$1
## Security headers (enhancements from https://observatory.mozilla.org/)
Header set X-Frame-Options DENY
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Strict-Transport-Security "max-age=63072000;"
Header set Content-Security-Policy "default-src 'none'; base-uri 'self'; frame-ancestors 'none'; ... ; font-src 'self'; form-action 'self'; manifest-src 'self'; "
</VirtualHost>
</IfModule>
All redirect URLs use an absolute URL. Some redirect URLs seem to use HTTP protocol instead of HTTPS protocol. The Strict-Transport-Security
header, allows the browser to directly update the protocol used by forcing HTTPS even if the redirect URL is specified as HTTP.
However, in Chrome, the following CSP directive (form-action 'self'
) must be disabled because it seems to take priority over Strict-Transport-Security
header. See: #562 (closed)
What is the expected correct behavior?
Redirect URL: use relative PATH or correct protocol sheme
Edited by Fabrice Gangler