Closed luni3359 closed 1 month ago
I can't see any clear rules for this in the HTTP specifications.
I suspect that at the very least, a redirect that is meant to retain the same method (e.g. 307) should resend the payload. Maybe the codes which allow changing to GET should drop the payload (e.g 303). Which brings up the question of what redirect code they are using?
its using 302 redirect. redirects are keeping cookies and auth tokens, you can see that is a huge security risk
The same issue actually with auth
when redirecting to different origin. During the redirect, the authorization is reset in the https://github.com/aio-libs/aiohttp/blob/master/aiohttp/client.py#L601, but if the auth
parameter is passed to the ClientSession
, then the authorization will be reassigned in https://github.com/aio-libs/aiohttp/blob/master/aiohttp/client.py#L440
???????????
The current behaviour looks like it's correct. The body is removed from a POST request on 301/302/303. It is also removed from a GET request on 303. The RFC only says the content headers should be removed, but presumably it would make sense to remove the content as well at that point. It also only says when the method is changed to GET, so if we're already using GET it's not clear that it should be removed anyway.
https://www.rfc-editor.org/rfc/rfc9110.html#section-15.4-6.5.1
The comment about auth headers may have changed. I see code for removing auth headers currently when the origin changes.
Right, we should get a test to reproduce that.
Wait, but that's an auth in the ClientSession. If you've set auth for the entire session, why would you expect it to not be sent on a request?
I do expect it to be sent on request, but shouldn't it be removed in the case of a redirect to a different origin? If not, it might be worth adding a note about this in the documentation
My expectation is that any request to any origin will have the auth included, as it's global for the entire session. Feel free to make a PR with a doc change.
Describe the bug
aiohttp keeps sending the body every time it's redirected.
To Reproduce
Expected behavior
aiohttp shouldn't send the body after being redirected. At the very least
requests
doesn't behave in this way and avoids sending the body a second time.Logs/tracebacks
Minimum reproducible code:
Python Version
aiohttp Version
multidict Version
yarl Version
OS
Related component
Client
Additional context
As far as I understand aiohttp shouldn't send the body after being redirected.
On danbooru/danbooru#5185 it was found out that aiohttp was behaving differently and was not being consistent with the behavior of other clients.
I'm not very well-versed in this topic so I apologize beforehand if I messed up the terminology but I can see the discrepancy. Please let me know if there's anything else that needs to be included in the issue.
Code of Conduct