API Authorization headers are sent in "CDN" download requests
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Committed
|
Undecided
|
Zeyad Gouda |
Bug Description
After an authenticated request (eg. using X-Device-
This is unnecessary. The redirect location, if any, is a signed url to one of our "CDN"s and needs no further authentication.
If the API download endpoint does not return the content right away (which can happen in a snap-store-proxy setting for example) and returns a 302 response, snapd should drop any device/user authentication headers intended for the store API in the request to the redirect location.
(We've (Store) decided that this does not have to be a private bug currently.)
It should be possible to address this with https:/ /pkg.go. dev/net/ http#Client. CheckRedirect. Should we drop the authorization headers unconditionally or only if the domain is not the original one?