Dear all, RFC 2616 requires an absolute URI in the "Location" header field. So if someone calls "ns_returnredirect /", NaviServer transforms it on the fly into an absolute URL by prefixing it with the location (e.g. https://openacs.org/). NaviServer (and OpenACS) has some complex code to compute the location value, especially when virtual servers are involved (or for "host-node mapped" subsites in OpenACS). The situation is further complicated when running behind a reverse proxy and/or in a containerized environment. In such cases, the location is computed from the "host" request header field, which must be validated, otherwise an attacker could hijack a session and redirect it to a spoofed site.
The situation changed 10 years ago (June 2014) with the introduction of RFC 7231, which allows relative redirects (see https://www.rfc-editor.org/rfc/rfc7231#section-7.1.2). Using relative redirects greatly simplifies configuration and closes the attack vector using the host header field. RFC 7231 has been superseded by RFC 9110 (June 2022), which also supports relative redirects via the "location" response header field (see https://www.rfc-editor.org/rfc/rfc9110#field.location). The latest version of NaviServer (already running on OpenACS.org) now implements relative redirects as supported by the newer RFCs. Only if a location proc has been registered "ns_locationproc", the URL will be prefixed with it for better backwards compatibility. The change to support relative redirects should simplify many configurations. There have been many questions about redirects where people have struggled to set them up. I've only added this change to the main branch of NaviServer. I have no intention of backporting it to the 4.99 series at this time. If you have any objections or suggestions, please let me know. _______________________________________________ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
