HttpClient redirect bug

[XaveScor]

http://stackoverflow.com/questions/43573321/httpclient-302-redirect
I have 2 urls: https://pcr.apple.com/id868222886 and https://jigsaw.w3.org/HTTP/300/302.html. Both have a location link and 302 response code. But apple's link has 0-len response body.

using System;
using System.IO;
using System.Net.Http;

namespace XaveScor.PodcastFeed
{
    public class RemoteFeedSource: FeedSource
    {
        private string url;
        protected virtual HttpMessageHandler Handler => new HttpClientHandler() { AllowAutoRedirect = true };

        public override Stream Stream => client.Value.GetStreamAsync(url).Result;

        private readonly Lazy<HttpClient> client;

        public RemoteFeedSource(string url)
        {
            client = new Lazy<HttpClient>(() => new HttpClient(Handler), false);    
            this.url = url;
        }
    }
}


[TestMethod]
public void Test1() //fail
{
    var source = new RemoteFeedSource("https://pcr.apple.com/id868222886");
    Assert.AreNotEqual(source.Stream.GetString(), "");
}

[TestMethod]
public void Test2() //success
{
    var source = new RemoteFeedSource("https://jigsaw.w3.org/HTTP/300/302.html");
    Assert.AreNotEqual(source.Stream.GetString(), "");
}

[stephentoub]

What's the question? You asked the same question on stackoverflow and got this answer:
http://stackoverflow.com/questions/43573321/httpclient-302-redirect/43576738#43576738
What's wrong with that answer?

[XaveScor]

No, this is not question. Why HttpClient don't redirect on specific url? I think HttpClient should redirect on any pages which have Location header.

[stephentoub]

It's not based on the presence of a Location header: it's based on the response status code.

But that's not the issue here. The issue here is that you have an https URL that's trying to redirect to an http URL, which is explicitly blocked for security reasons.

cc: @davidsh, @bartonjs, @danmosemsft

[XaveScor]

How to disable this behavior? Have we some options for it? Security is unimportant thing in my problem.

[davidsh]

If you need to handle HTTPS -> HTTP redirection, you should disable automatic redirection in HttpClient. Then handle the 3xx responses yourself.

var handler = new HttpClientHandler();
handler.AllowAutomaticRedirect = false;
var client = new HttpClient(handler);

[XaveScor]

Wow. Why we can't add the flag "enable redirect https -> http"?

[karelz]

We could. Is it worth it? The workaround above is reasonable.
Auto-redirecting is also kind of security risk, so not having it exposed as first-class citizen feels like the right thing to do ...

[davidsh]

Closing as by-design. If you would like to raise this as a new design issue/discussion, please contribute to https://github.com/dotnet/designs/issues/9