diff --git a/include/libwebsockets/lws-secure-streams-policy.h b/include/libwebsockets/lws-secure-streams-policy.h index 00063c337..41d2a9654 100644 --- a/include/libwebsockets/lws-secure-streams-policy.h +++ b/include/libwebsockets/lws-secure-streams-policy.h @@ -124,6 +124,8 @@ enum { */ LWSSSPOLF_SERVER = (1 << 15), /**< we listen on a socket as a server */ + LWSSSPOLF_ALLOW_REDIRECTS = (1 << 16), + /**< follow redirects */ }; typedef struct lws_ss_trust_store { diff --git a/lib/secure-streams/README.md b/lib/secure-streams/README.md index 887f2dd58..5d064e7d4 100644 --- a/lib/secure-streams/README.md +++ b/lib/secure-streams/README.md @@ -251,9 +251,10 @@ arbitrarily fragmented by any intermediary, such streams have to be regarded as ordered bytestream that may be fragmented at any byte without any meaning in terms of message boundaries, for that reason SOM and EOM are ignored with raw. -### `plugins` +### `allow_redirects` -Array of plugin names to apply to the stream, if any +By default redirects are not followed, if you wish a streamtype to observe them, eg, +because that's how it responds to a POST, set `"allow_redirects": true` ### `tls` diff --git a/lib/secure-streams/policy-json.c b/lib/secure-streams/policy-json.c index d220d7f4f..1a6bc29e0 100644 --- a/lib/secure-streams/policy-json.c +++ b/lib/secure-streams/policy-json.c @@ -50,6 +50,7 @@ static const char * const lejp_tokens_policy[] = { "s[].*.client_cert", "s[].*.opportunistic", "s[].*.nailed_up", + "s[].*.allow_redirects", "s[].*.urgent_tx", "s[].*.urgent_rx", "s[].*.long_poll", @@ -121,6 +122,7 @@ typedef enum { LSSPPT_TLS_CLIENT_CERT, LSSPPT_OPPORTUNISTIC, LSSPPT_NAILED_UP, + LSSPPT_ALLOW_REDIRECTS, LSSPPT_URGENT_TX, LSSPPT_URGENT_RX, LSSPPT_LONG_POLL, @@ -577,6 +579,11 @@ lws_ss_policy_parser_cb(struct lejp_ctx *ctx, char reason) a->curr[LTY_POLICY].p->flags |= LWSSSPOLF_WAKE_SUSPEND__VALIDITY; break; + case LSSPPT_ALLOW_REDIRECTS: + if (reason == LEJPCB_VAL_TRUE) + a->curr[LTY_POLICY].p->flags |= + LWSSSPOLF_ALLOW_REDIRECTS; + break; case LSSPPT_RETRYPTR: bot = a->heads[LTY_BACKOFF].b; diff --git a/lib/secure-streams/protocols/ss-h1.c b/lib/secure-streams/protocols/ss-h1.c index 9d69a6c22..9c7305f0b 100644 --- a/lib/secure-streams/protocols/ss-h1.c +++ b/lib/secure-streams/protocols/ss-h1.c @@ -245,8 +245,8 @@ secstream_h1(struct lws *wsi, enum lws_callback_reasons reason, void *user, if (h->policy->u.http.fail_redirect) lws_system_cpd_set(lws_get_context(wsi), LWS_CPD_CAPTIVE_PORTAL); - /* don't follow it */ - return 1; + /* unless it's explicitly allowed, reject to follow it */ + return !(h->policy->flags & LWSSSPOLF_ALLOW_REDIRECTS); case LWS_CALLBACK_CLOSED_HTTP: /* server */ case LWS_CALLBACK_CLOSED_CLIENT_HTTP: