Relative redirection is considered as a violation

Question

Relative redirection is considered as a violation

Nilegfx opened this issue 7 years ago · 1 comments

I got this message

Error: "Call to https://xxxxxxx.eu-central-1.elb.amazonaws.com:443 redirects (status 302) to location with unsafe protocol (/auth/zalando)"

Expected behavior

relative redirections shouldn't consider as a violation

Answer 1 · 2017-07-13T16:00:17.000Z

@Nilegfx I thought about your case and I think it is ok to show a violation here, however the message is wrong:
When Fullstop requests an API with no OAuth header, it expects it to respond with a 401 "Unauthorized", instead of a redirect.
Of course there are cases where the redirect to a login page is intended. Then please set the "publicly_accessible" flag in Yourturn/Kio for your application. Fullstop will then consider the redirect as ok.

The misleading error message is fixed in #498