[HTTPS-Everywhere] https redirect issue
Seth David Schoen
schoen at eff.org
Tue Sep 15 09:16:11 PDT 2015
sjw at gmx.ch writes:
> so bad:
> $ curl -I https://store.pfsense.org/SG-2220
> HTTP/1.1 200 OK
> Content-Length: 162
> Server: Microsoft-IIS/8.0
> Refresh: 0;URL=http://store.pfsense.org/SG-2220
I think this is exactly what you were getting at, but for other
readers' benefit, note that if they used an HTTP 301 redirect instead
of 200 OK, HTTPS Everywhere would detect the loop! Only "Refresh"
and Javascript-based redirection cause loops that we can't detect.
("Refresh: 0" is not a good practice for telling a browser that it went
to the wrong URL or wrong version of a resource.)
--
Seth Schoen <schoen at eff.org>
Senior Staff Technologist https://www.eff.org/
Electronic Frontier Foundation https://www.eff.org/join
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107
More information about the HTTPS-Everywhere
mailing list