Open yujincheng08 opened 4 months ago
Hi, RTSP follows HTTP which also sends Authorization header to redirected target.
Change the option to max_redirect: u8
so that we can specify the maximum follows.
@scottlamb Gentle ping
@scottlamb Gentle ping
@scottlamb Gentle ping
Hey, I know you've been waiting a long time on this. I'm uncomfortable though about the security implications of sending the credentials to another host.
Hi, RTSP follows HTTP which also sends Authorization header to redirected target.
Can you point me at where the spec mandates clients behave in that way? I can't find it, and I've read through the HTTP/1.1 spec (and specifically several versions of Authorization
-related RFCs while writing http-auth
) a fair bit.
Here's a stackoverflow thread on the subject, fwiw, and it suggests other clients have made the choice to remove credentials on redirect.
In your use case, are redirects happening to a different (scheme, host, port)? or is only the path changing?
I'd be less concerned about...
trait CredentialStore {
fn get_credentials(url: &Url) -> Box<Future<Item = Result<Credentials, BoxError>>>
}
Fix #92