With "follow redirect = true", 303 are followed

[lyrixx]

Hello

Describe the bug

As you can see, the option is disabled

And when a got a 303 and I'm on preview mode the redirection is followed. I think this is due to the fact there is a "meta refresh" in the body, and it's interpreted

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='https://api.foo.test/mobile/hotels/search/5e53460b-76df-5725-af84-27a2df117477/results?sortBy=%2Bclosest'" />

        <title>Redirecting to https://api.foo.test/mobile/hotels/search/5e53460b-76df-5725-af84-27a2df117477/results?sortBy=%2Bclosest</title>
    </head>
    <body>
        Redirecting to <a href="https://api.foo.test/mobile/hotels/search/5e53460b-76df-5725-af84-27a2df117477/results?sortBy=%2Bclosest">https://api.foo.test/mobile/hotels/search/5e53460b-76df-5725-af84-27a2df117477/results?sortBy=%2Bclosest</a>.
    </body>
</html>

More over, the redirected request does not embed the header I manually defined.

If I use "follow redirect: true" everything works fine

Desktop (please complete the following information):

• OS: Ubuntu 18.04
• Installation Method: APT
• App Version 2020.4.2

[jgiovaresco]

👋 @lyrixx

I guess you are right; it seems related to "meta refresh" in the body that is interpreted. Besides, we can reproduce it with a 200 response.

More over, the redirected request does not embed the header I manually defined.
If I use "follow redirect: true" everything works fine

Does that mean that the manually defined headers are sent to the redirected request when the Follow redirects is checked?

Would you be able to provide the content of the Timeline tab to help the investigation?

[lyrixx]

Does that mean that the manually defined headers are sent to the redirected request when the Follow redirects is checked?

yes, it looks like

Here is the timeline

* Preparing request to https://api.foobar.test/mobile/hotels/search
* Current time is 2020-11-02T15:05:37.807Z
* Using libcurl/7.69.1 OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libssh2/1.9.0 nghttp2/1.41.0
* Using default HTTP version
* Disable timeout
* Enable automatic URL encoding
* Disable SSL validation
* Enable cookie sending with jar of 3 cookies
*   Trying 127.0.0.1:443...
* Connected to api.foobar.test (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /tmp/insomnia_2020.4.2/2017-09-20.pem
*   CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: O=mkcert development certificate; OU=gregoire@gregoire
*  start date: Apr  1 09:54:43 2019 GMT
*  expire date: Apr  1 09:54:43 2029 GMT
*  issuer: O=mkcert development CA; OU=gregoire@gregoire; CN=mkcert gregoire@gregoire
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xe2bea69e000)

> POST /mobile/hotels/search HTTP/2
> Host: api.foobar.test
> cookie: sf_redirect=%7B%22token%22%3A%22c0a3bd%22%2C%22route%22%3A%22api_hotels_new_search%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Dayuse%5C%5CFrontend%5C%5CController%5C%5CApi%5C%5CHotelApiController%22%2C%22method%22%3A%22newHotelsSearchAction%22%2C%22file%22%3A%22%5C%2Fvar%5C%2Fwww%5C%2Fsrc%5C%2FFrontend%5C%2FController%5C%2FApi%5C%2FHotelApiController.php%22%2C%22line%22%3A69%7D%2C%22status_code%22%3A303%2C%22status_text%22%3A%22See%20Other%22%7D
> accept: application/json;version=1.8
> accept-currency: USD
> accept-language: en
> content-type: application/json;version=1.8
> user-agent: Dayuse/4.6.0 android/8.0.0 OkHttp/3.8.0 (samsung; SM-G965F)
> content-length: 152

* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

| {
| 	"availableForDate": "2020-11-14",
| 	"checkInTime": "12:00",
|     "near": {
|         "coordinates": [48.866667, 2.333333],
|         "radius": 500
|     }
| }	

* We are completely uploaded and fine
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!

< HTTP/2 303 
< cache-control: no-cache, private
< content-type: text/html; charset=UTF-8
< date: Mon, 02 Nov 2020 15:05:38 GMT
< foobar-search-id: b41c62b4-213d-5f8b-9eb7-676c88c209fb
< link: <https://api-extranet.foobar.test/docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation"
< location: https://api.foobar.test/mobile/hotels/search/b41c62b4-213d-5f8b-9eb7-676c88c209fb/results?sortBy=%2Bclosest
< server: nginx/1.18.0

* Replaced cookie sf_redirect="%7B%22token%22%3A%228348ec%22%2C%22route%22%3A%22api_hotels_new_search%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Dayuse%5C%5CFrontend%5C%5CController%5C%5CApi%5C%5CHotelApiController%22%2C%22method%22%3A%22newHotelsSearchAction%22%2C%22file%22%3A%22%5C%2Fvar%5C%2Fwww%5C%2Fsrc%5C%2FFrontend%5C%2FController%5C%2FApi%5C%2FHotelApiController.php%22%2C%22line%22%3A69%7D%2C%22status_code%22%3A303%2C%22status_text%22%3A%22See%20Other%22%7D" for domain api.foobar.test, path /, expire 0

< set-cookie: sf_redirect=%7B%22token%22%3A%228348ec%22%2C%22route%22%3A%22api_hotels_new_search%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Dayuse%5C%5CFrontend%5C%5CController%5C%5CApi%5C%5CHotelApiController%22%2C%22method%22%3A%22newHotelsSearchAction%22%2C%22file%22%3A%22%5C%2Fvar%5C%2Fwww%5C%2Fsrc%5C%2FFrontend%5C%2FController%5C%2FApi%5C%2FHotelApiController.php%22%2C%22line%22%3A69%7D%2C%22status_code%22%3A303%2C%22status_text%22%3A%22See%20Other%22%7D; path=/; secure; httponly; samesite=lax
< x-debug-token: 8348ec
< x-debug-token-link: https://api.foobar.test/_profiler/8348ec
< x-powered-by: PHP/7.3.24
< x-robots-tag: noindex
< content-length: 674


* Received 674 B chunk
* Connection #0 to host api.foobar.test left intact
* Saved 1 cookie

[jgiovaresco]

When follow redirect: true, Insomnia will follow the redirection. Insomnia is using cUrl under the hood. When the setting is checked, the option FOLLOWLOCATION is given, and cUrl will automatically redirect using the Location header when the response status is 30x.

When follow redirect: false, Insomnia will detect it can render the response in the Preview mode. This mode will display the response in a webview. It behaves like an iframe; therefore, the content is interpreted, and the meta redirect is read and trigger the redirection. The redirection is done regardless of the follow redirect settings, and the defined headers are not provided.

Honestly, I don't know how we could handle this edge case. It would be possible to prevent navigation in the webview, but I'm not sure it is a good idea.
I will let @nijikokun or @develohpanda give their thoughts.

[lyrixx]

This is very well summarized 👍🏼

And actually, I don't know if this issue can be solved. I lost some time today about this (I'm on an audit mission, so I don't really know the code). But this is absolutely not your fault 💛. If it can, this is awesome. It not, feel free the close this issue, I understand.

Note: Idea to close this issue: encapsulate the meta tag in a comment before passing the HTML to the web view. This is really hackish, but it could work :)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[lyrixx]

Actually this issue has not been solved. If we can let it open, it will be better IMHO.

[lyrixx]

Not a big deal, we can close.