API Authorization headers are sent in "CDN" download requests
Bug #2027993 reported by
Przemysław Suliga
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| snapd |
Fix Committed
|
Undecided
|
Zeyad Gouda | ||
Bug Description
After an authenticated request (eg. using X-Device-
This is unnecessary. The redirect location, if any, is a signed url to one of our "CDN"s and needs no further authentication.
If the API download endpoint does not return the content right away (which can happen in a snap-store-proxy setting for example) and returns a 302 response, snapd should drop any device/user authentication headers intended for the store API in the request to the redirect location.
(We've (Store) decided that this does not have to be a private bug currently.)
Revision history for this message
| Samuele Pedroni (pedronis) wrote | #1 |
Revision history for this message
| Przemysław Suliga (suligap) wrote | #2 |
Revision history for this message
| Zeyad Gouda (zeyadgouda) wrote | #3 |
| Changed in snapd: | |
| assignee: | nobody → Zeyad Gouda (zeyadgouda) |
| status: | New → In Progress |
Revision history for this message
| Zeyad Gouda (zeyadgouda) wrote | #4 |
| Changed in snapd: | |
| status: | In Progress → Fix Committed |
To post a comment you must log in.
It should be possible to address this with https:/