https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8108
Bug ID: 8108
Summary: DecodeShortURLs should include sec-fetch-mode header
in requests
Product: Spamassassin
Version: 4.0.0
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Plugins
Assignee: dev@spamassassin.apache.org
Reporter: dilld...@bjork.org
Target Milestone: Undefined
Certain redirectors, notably fb.me, refuse to return a 302 unless the request
header sec-fetch-mode is included, with a value of navigate.
Compare:
curl -A "Mozilla/5.0 (Windows NT 10.0; Win64 ;x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/101.0.4951.67 Safari/537.36)" -I https://fb.me/e/2niFUdfPy/
Which returns a 200, with:
curl -A "Mozilla/5.0 (Windows NT 10.0; Win64 ;x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/101.0.4951.67 Safari/537.36)" -H 'sec-fetch-mode: navigate'
-I https://fb.me/e/2niFUdfPy/
Which returns the expected and desired 302.
I propose the sec-fetch-mode header is included in all requests made by
DecodeShortURLs, as I see no harm in doing so. This will help further mask them
as browser requests, which is already the goal with spoofing the UA.
--
You are receiving this mail because:
You are the assignee for the bug.
