When fetching a shell script from the URL https://dot.net/v1/dotnet-install.sh in a test using @actions/http-client, there are 2 redirects involved:
A 301 redirect from https://dot.net/v1/dotnet-install.sh to https://dotnet.microsoft.com/download/dotnet-core/scripts/v1/dotnet-install.sh;
A 302 redirect from https://dotnet.microsoft.com/download/dotnet-core/scripts/v1/dotnet-install.sh to /download/dotnet/scripts/v1/dotnet-install.sh.
The second redirect fails with the following message:
Redirect from HTTPS to HTTP protocol. This downgrade is not allowed for security reasons. If you want to allow this behavior, set the allowRedirectDowngrade option to true.
However, there are no redirects from HTTPS to HTTP, just a redirect to a relative URI (which should preserve the HTTPS protocol).
Originally found in actions/setup-dotnet#110.
When fetching a shell script from the URL
https://dot.net/v1/dotnet-install.sh
in a test using@actions/http-client
, there are 2 redirects involved:https://dot.net/v1/dotnet-install.sh
tohttps://dotnet.microsoft.com/download/dotnet-core/scripts/v1/dotnet-install.sh
;https://dotnet.microsoft.com/download/dotnet-core/scripts/v1/dotnet-install.sh
to/download/dotnet/scripts/v1/dotnet-install.sh
.The second redirect fails with the following message:
However, there are no redirects from HTTPS to HTTP, just a redirect to a relative URI (which should preserve the HTTPS protocol).
The issue seems to be located in the following
if
: https://github.com/actions/http-client/blob/edadda14b09058389cd47f9790e19b97883624c1/index.ts#L386-L390