When an image with source={{uri: "...", headers: { host: "somehost.com", authorization: "..." }} is loaded, all other subsequent images will use the same headers.
This can lead to images not showing, because the host header is wrong, and web servers will return 404 errors for the request.
To Reproduce
Steps to reproduce the behavior if possible, or a link to a reproduction repo:
Add an image with source={{ uri: "hookbin endpoint #1", headers: { foo: "bar" } }}.
Create another endpoint at hookbin
Add another image with source={{ uri: "hookbin endpoint #2" }}, ensure it loads after image 2.
The request for image on endpoint #2 will include the foo: bar headers.
This is probably the reason of a lot of errors with images not properly showing in this repository.
Additionally, this is a serious security issue, as signing credentials or other session tokens could be leaked to other servers. See screenshot below.
Expected behavior
Headers should not be reused.
Screenshots
Notice how headers are leaked to other servers. The headers were only supposed to be used for images from the s3 bucket, but they are attached to every request.
Dependency versions
React Native version: 0.62.1
React version: 16.11.0
React Native Fast Image version: 8.1.5
The text was updated successfully, but these errors were encountered:
Not the issue of upstream dependency, this is a bug of react-native-fast-image implementation on iOS. Should use the correct API to do Per-image-level-header-setup.
Describe the bug
When an image with
source={{uri: "...", headers: { host: "somehost.com", authorization: "..." }}is loaded, all other subsequent images will use the same headers.This can lead to images not showing, because the
hostheader is wrong, and web servers will return 404 errors for the request.To Reproduce
Steps to reproduce the behavior if possible, or a link to a reproduction repo:
source={{ uri: "hookbin endpoint #1", headers: { foo: "bar" } }}.source={{ uri: "hookbin endpoint #2" }}, ensure it loads after image 2.The request for image on endpoint
#2will include thefoo:barheaders.This is probably the reason of a lot of errors with images not properly showing in this repository.
Additionally, this is a serious security issue, as signing credentials or other session tokens could be leaked to other servers. See screenshot below.
Expected behavior
Headers should not be reused.
Screenshots
Notice how headers are leaked to other servers. The headers were only supposed to be used for images from the s3 bucket, but they are attached to every request.
Dependency versions
The text was updated successfully, but these errors were encountered: