New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add allowInsecureRedirect option #28

Merged

chrisbreiding merged 3 commits into cypress-io:master from legobeat:ssrf-allow-insecure-redirect

Aug 8, 2023

Commits on Aug 1, 2023

security: breaking: Add option "allowInsecureRedirect"
```
- Addresses CVE-2023-28155
  - Existing behavior allows malicios redirects between protocols
  - Set default behavior to disable this vector (breaking)
  - Add new option `allowInsecureRedirect` where `true` reverts to old
    behavior
- Ported from request#3444
```
SzymonDrosdzol authored and legobeat committed Aug 1, 2023
Configuration menu
View commit details

Copy full SHA for 35e023c

Browse repository at this point
Copy the full SHA

35e023c View commit details

Browse the repository at this point in the history
test: allowInsecureRedirect for cross-proto redirects

legobeat committed Aug 1, 2023
Configuration menu
View commit details

Copy full SHA for d065ff6

Browse repository at this point
Copy the full SHA

d065ff6 View commit details

Browse the repository at this point in the history
docs: Document default value for allowInsecureRedirect

legobeat committed Aug 1, 2023
Configuration menu
View commit details

Copy full SHA for 8625fb6

Browse repository at this point
Copy the full SHA

8625fb6 View commit details

Browse the repository at this point in the history