Make NSUrlSessionHandler handle redirects like the .NET handlers do#25529
Conversation
This change updates NSUrlSessionHandler redirect auth handling so it matches the .NET handlers more closely, this is just for .NET compatibility and for correctness; there's no security enforcement here. After an automatic redirect credentials are now resolved against the current redirect target Url instead of the orginal request Url. Also, non CredentialCache credentials are not reused across redirects by default, which is consistent with `SocketsHttpHandler` and `WinHttpHandler`. This avoids sending credentials that were scoped, or only meant for the original origin, to a redirected destination. CredentialCache entries still work when they are explicitly scoped for the redirect target.
dalexsoto
requested review from
Copilot and
rolfbjarne
and removed request for
Copilot
✅ [PR Build #76d930e] Build passed (Detect API changes) ✅Pipeline on Agent |
This comment has been minimized.
This comment has been minimized.
✅ [PR Build #76d930e] Build passed (Build packages) ✅Pipeline on Agent |
✅ API diff for current PR / commitNET (empty diffs)✅ API diff vs stableNET (empty diffs)ℹ️ Generator diffGenerator Diff: vsdrops (html) vsdrops (raw diff) gist (raw diff) - Please review changes) Pipeline on Agent |
✅ [PR Build #76d930e] Build passed (Build macOS tests) ✅Pipeline on Agent |
This comment has been minimized.
This comment has been minimized.
🚀 [CI Build #76d930e] Test results 🚀Test results✅ All tests passed on VSTS: test results. 🎉 All 193 tests passed 🎉 Tests counts✅ cecil: All 1 tests passed. [attempt 2] Html Report (VSDrops) Download macOS tests✅ Tests on macOS Monterey (12): All 5 tests passed. Html Report (VSDrops) Download Linux Build VerificationPipeline on Agent |
3 participants
This change updates NSUrlSessionHandler redirect auth handling so it matches the .NET handlers more closely, this is just for .NET compatibility and for correctness; there's no security enforcement here. After an automatic redirect credentials are now resolved against the current redirect target Url instead of the orginal request Url. Also, non CredentialCache credentials are not reused across redirects by default, which is consistent with
SocketsHttpHandlerandWinHttpHandler. This avoids sending credentials that were scoped, or only meant for the original origin, to a redirected destination. CredentialCache entries still work when they are explicitly scoped for the redirect target.