jeremyevans
commented
3 years ago I agree this is an issue. Historically, relative URLs weren't supported in Location, but they have been supported for a long time, and it's unlikely that any modern client cannot handle them.
micchickenburger
In
/lib/webrick/httpresponse.rb:295the location response header is modified to include the request URI, creating an absolute URI. However, relative URIs are allowed in the location field. (See https://datatracker.ietf.org/doc/html/rfc7231#section-7.1.2).This causes issues with reverse proxies and other proxy software. For instance, Hashicorp Boundary proxies a TCP connection through localhost using an ephemeral port to a destination web server. Because webrick does not allow relative URIs in this field, the client navigates to the resource on the wrong host or port (because the request port from the proxy != the client port to the proxy).
I think this segment of code should be removed entirely.