Cross-protocol redirection not working

[erwinkramer]

If i host tinyauth on https://auth.public.domain.com and i expect it to redirect to http://service.private.domain.com, it will not do it. It will just stay on the tinyout Logout screen after successfully logging in. If this is this expected, it should at least give a warning/error.

Logging seems normal:

[steveiliop56]

This is not really tinyauth's fault. If you are serving tinyauth (or any webpage) using https and try to redirect with JavaScript to http browsers will block this. But if you try to do http to https browsers will allow it. I can "bypass" if by doing a server side redirect but I think this is very insecure and thus should stay as if. Redirects from https to http should not be allowed for any reason. What I can do (I think) is make the continue page prompt you to click the button on http redirects. This should technically not be blocked by browsers but since it's a button it has to run JavaScript so I am not sure. All in all I don't think such feature should be implemented due to how insecure it is. I will add a warning that you won't be redirected though.

[erwinkramer]

Warning would already be great.

Not sure how insecure it would be if you allow the scenario, since I put my local traffic on http with local IPs, so I already consider that to be trusted. It just comes in handy when I want to use the same https tinyauth instance for both public and private services when you do allow it.

[steveiliop56]

After some research seems like I can redirect a user using an tag. This means that the continue screen will be enforced on https to http but I think that's a good thing.

[steveiliop56]

Sooo, I fixed this here e2e3b3b and I discovered that if I do window.location.href instead of window.location.replace() I can actually achieve cross protocol redirection. But I decided to add a warning just in case.

[erwinkramer]

Legend