search

scottlamb / retina

High-level RTSP multimedia streaming library, in Rust
https://crates.io/crates/retina
Apache License 2.0
218 stars 46 forks source link

Add option to follow 301 and 302 redirection #93

Open yujincheng08 opened 4 months ago

yujincheng08 commented 4 months ago

Fix #92

yujincheng08 commented 4 months ago

Hi, RTSP follows HTTP which also sends Authorization header to redirected target.

yujincheng08 commented 4 months ago

Change the option to max_redirect: u8 so that we can specify the maximum follows.

yujincheng08 commented 3 months ago

@scottlamb Gentle ping

yujincheng08 commented 3 months ago

@scottlamb Gentle ping

yujincheng08 commented 2 months ago

@scottlamb Gentle ping

scottlamb commented 2 months ago

Hey, I know you've been waiting a long time on this. I'm uncomfortable though about the security implications of sending the credentials to another host.

Hi, RTSP follows HTTP which also sends Authorization header to redirected target.

Can you point me at where the spec mandates clients behave in that way? I can't find it, and I've read through the HTTP/1.1 spec (and specifically several versions of Authorization-related RFCs while writing http-auth) a fair bit.

Here's a stackoverflow thread on the subject, fwiw, and it suggests other clients have made the choice to remove credentials on redirect.

In your use case, are redirects happening to a different (scheme, host, port)? or is only the path changing?

I'd be less concerned about...

  1. keeping the credentials only if the (scheme, host, port) remain constant, or
  2. providing a "credential store" that can be queried on individual request, something like:
trait CredentialStore {
    fn get_credentials(url: &Url) -> Box<Future<Item = Result<Credentials, BoxError>>>
}