What happened:
Currently, when a 301/302 status comes in from the response we forward this to the client.
What you expected to happen:
Use new location coming from 301/302 as new upstream and sending the first non 301/302 response back to the client.
The client therefore doesn't care about redirects on the upstream service as they would expect to access this specific service under this specific domain anyway.
Anything else we need to know?:
Do we run into any issues with this? It's non transparent redirect so not perfect, but from a attack vector perspective the upstream attacker already is the owner of the upstream or else they wouldn't be able to send a 301/302 response.
Is this a BUG REPORT or FEATURE REQUEST?: feature
What happened: Currently, when a 301/302 status comes in from the response we forward this to the client.
What you expected to happen: Use new location coming from 301/302 as new upstream and sending the first non 301/302 response back to the client. The client therefore doesn't care about redirects on the upstream service as they would expect to access this specific service under this specific domain anyway.
Anything else we need to know?: Do we run into any issues with this? It's non transparent redirect so not perfect, but from a attack vector perspective the upstream attacker already is the owner of the upstream or else they wouldn't be able to send a 301/302 response.
Copied from txtdirect/txtdirect#233