Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
🐛 Do not follow redirect responses in logout calls
Block following redirect responses from programmatically calling the logout operation, for two reasons: * they may be incomplete endpoints, e.g. the Redirect URI but without state parameter or token or anything, which would fail anyway. These can cause HTTP 500 errors in downstream projects (as seen in Open Forms). * they can lead to SSRF issues if we don't validate the redirect target URL - a malicious/bad OpenID Provider could be a part of a larger chain of exploits
- Loading branch information