Skip to content

Check for cross-domain redirects that bounce from an allowed domain to a blocked domain

Hazelnootrequested to merge
fEmber/Sharkey:hazelnoot/redirect-safe-domain-blocks into develop

What does this MR do?

AP object fetches (anything that goes through ApResolverService or Resolver class) can redirect between same-authority domains. This PR adds additional checks to ensure that a redirect did not bounce from an allowed domain to a blocked domain. This can be used to bypass federation denylists if an administrator forgets to block the root authority. For example, a block for ice.hazelnoot.dev could be bypassed by adding a redirect from alt.hazelnoot.dev to ice.hazelnoot.dev.

Contribution Guidelines

By submitting this merge request, you agree to follow our Contribution Guidelines

  • I agree to follow this project's Contribution Guidelines
  • I have made sure to test this merge request
Edited by Hazelnoot

Merge request reports