Open NEON725 opened 1 year ago
Sorry for the late reply. This issue was not forgotten, but it is a particular tough one, because this change was introduced when making the CivetWeb WebDav implementation working for the Windows 10 Explorer. This entire code is now tested again, and also delayed the release since more than two months (with some sick leave and holidays).
But in any case: Thank you very much for the bug report. It will be fixed.
It's cool man. Usually I'm just glad when my reports are reproducible.
Just wanted to write a bug report about this as well so good to know it's on your radar and looking forward to a fix!
If it may help, for our users it happens when they manually enter the URL to an application frontend without index.html and without trailing slash, e.g. http://127.0.0.1:8080/A/B
like NEON725 said above. Thing is, browsers seem to auto-complete the URL if it's in their history or whatever, so it took me a while to reproduce it and to realise that it's coming from civetweb :-)
When accessing a directory from a browser, if index_files is set, civetweb will issue a 301 - Redirect, and provide a new URL in the "Location" header.
In version v1.15 and earlier, the Location value is specified relative to the URL root. E.G.
http://127.0.0.1:8080/A/B
is redirected to/A/B/
. The browser interprets this ashttp://127.0.0.1:8080/A/B/
, and a subsequent request from the browser uses theindex.html
file transparently without the browser being aware.In the latest version (commit c6e4e33b7863745b3a6af89cea78eecc8b509ac8 at time of writing), the Location header instead specifies a complete URL including the domain, using the authentication_domain value to populate the URL. E.G.
http://127.0.0.1:8080/A/B
is redirected tohttp://mydomain.com/A/B/
. This causes a failed CORS request because the authentication_domain value was intentionally not set.This appears to be defective behavior because: