问题
I'm using OkHttp transitively through Apache NiFi. I'm attempting to determine how Authorization and other sensitive headers are handled on redirect. The only interaction that NiFi's InvokeHTTP processor has with OkHttp in regards to redirects is here, where it reads a processor property and sets the option on the OkHttpClientBuilder object:
// Set whether to follow redirects
okHttpClientBuilder.followRedirects(context.getProperty(PROP_FOLLOW_REDIRECTS).asBoolean());
Quickly searching through the source of OkHttp, I cannot seem to identify where redirects are handled in order to verify that Authorization is stripped from subsequent requests, as I would expect. cURL just recently adopted that behavior for security reasons.
回答1:
It happens in RetryAndFollowUpInterceptor.
// When redirecting across hosts, drop all authentication headers. This
// is potentially annoying to the application layer since they have no
// way to retain them.
if (!sameConnection(userResponse, url)) {
requestBuilder.removeHeader("Authorization");
}
来源:https://stackoverflow.com/questions/52284568/does-okhttp-send-authorization-and-other-potentially-sensitive-headers-on-redire