-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scala Stream Collector: allow users to disable the default redirect endpoint #4211
Comments
Add a new flag `collector.allowRedirects` that when set to false will prohibit (`410 Gone`) any redirects using `r/` prefix url.
Add a new flag `collector.allowRedirects` that when set to false will prohibit (`410 Gone`) any redirects using `r/` prefix url.
It would be great if we can still allow redirects, just not via the default route. The default route is public, which makes it easy to abuse. However, a custom redirect path will be much harder to guess. We can't use custom path mappings for this, because the custom path will have to be mapped to some default. But if we make the redirect path configurable, then users will be able to have the functionality in a secure way. Seeing how we're already adding a new item to the config, what if instead of a |
@dilyand to me the only problem here is backwards compatibility:
What are your thoughts on the two? |
I think what we have now in the proposed 0.17.0 is good enough. It might be worthwhile though to open an issue for future versions, where we give users the ability to only use a custom redirect path (ie, disabling the default path but not redirects as such). And have the discussion on backward compatibility there, if we ever pick up the issue again. |
…ndpoint (fixes #4211) Add a new flag `collector.allowRedirects` that when set to false will prohibit (`410 Gone`) any redirects using `r/` prefix url.
…ndpoint (fixes #4211) Add a new flag `collector.allowRedirects` that when set to false will prohibit (`410 Gone`) any redirects using `r/` prefix url.
Scala Stream Collector: allow disabling redirects (fixes #4211)
…ndpoint (fixes #4211) Add a new flag `collector.allowRedirects` that when set to false will prohibit (`410 Gone`) any redirects using `r/` prefix url.
…ndpoint (fixes #4211) Add a new flag `collector.allowRedirects` that when set to false will prohibit (`410 Gone`) any redirects using `r/` prefix url.
…ndpoint (fixes #4211) Add a new flag `collector.allowRedirects` that when set to false will prohibit (`410 Gone`) any redirects using `r/` prefix url.
…ndpoint (fixes #4211) Add a new flag `collector.enableDefaultRedirect` that when set to false will prohibit (`404 Not Found`) any redirects using `r/` prefix url.
…ndpoint (fixes #4211) Add a new flag `collector.enableDefaultRedirect` that when set to false will prohibit (`404 Not Found`) any redirects using `r/` prefix url.
…ndpoint (closes #4211) Add a new flag `collector.enableDefaultRedirect` that when set to false will prohibit (`404 Not Found`) any redirects using `r/` prefix url.
…ndpoint (closes #4211) Add a new flag `collector.enableDefaultRedirect` that when set to false will prohibit (`404 Not Found`) any redirects using `r/` prefix url.
…ndpoint (closes #4211) Add a new flag `collector.enableDefaultRedirect` that when set to false will prohibit (`404 Not Found`) any redirects using `r/` prefix url.
…ndpoint (closes #4211) Add a new flag `collector.enableDefaultRedirect` that when set to false will prohibit (`404 Not Found`) any redirects using `r/` prefix url.
…ndpoint (closes #4211) Add a new flag `collector.enableDefaultRedirect` that when set to false will prohibit (`404 Not Found`) any redirects using `r/` prefix url.
…ndpoint (closes #4211) Add a new flag `collector.enableDefaultRedirect` that when set to false will prohibit (`404 Not Found`) any redirects using `r/` prefix url.
…ndpoint (closes #4211) Add a new flag `collector.enableDefaultRedirect` that when set to false will prohibit (`404 Not Found`) any redirects using `r/` prefix url.
…ndpoint (closes #4211) Add a new flag `collector.enableDefaultRedirect` that when set to false will prohibit (`404 Not Found`) any redirects using `r/` prefix url.
…ndpoint (closes #4211) Add a new flag `collector.enableDefaultRedirect` that when set to false will prohibit (`404 Not Found`) any redirects using `r/` prefix url.
…ndpoint (closes #4211) Add a new flag `collector.enableDefaultRedirect` that when set to false will prohibit (`404 Not Found`) any redirects using `r/` prefix url.
…/snowplow#4211) Add a new flag `collector.enableDefaultRedirect` that when set to false will prohibit (`404 Not Found`) any redirects using `r/` prefix url.
…/snowplow#4211) Add a new flag `collector.enableDefaultRedirect` that when set to false will prohibit (`404 Not Found`) any redirects using `r/` prefix url.
…/snowplow#4211) Add a new flag `collector.enableDefaultRedirect` that when set to false will prohibit (`404 Not Found`) any redirects using `r/` prefix url.
…/snowplow#4211) Add a new flag `collector.enableDefaultRedirect` that when set to false will prohibit (`404 Not Found`) any redirects using `r/` prefix url.
The Javascript tracker allows for click tracking through open redirects. There are concerns that this functionality might be abused by malicious third parties. Even if SSC users are not making use of the feature in the JS tracker, they are still potentially vulnerable as the collector would accept requests to the default redirect endpoint.
The text was updated successfully, but these errors were encountered: