PHP version:

Every compatible versions : ^7.2.5 || ^8.0.

Description

When we are checking if a modified URL should be considered as cross-origin (eg: during a request which resulted on an HTTP 301), we are checking 3 things, see Same-Origin Policy.

I understand that it's a security check, but as this package is used on the backend and not on the frontend, I think we should let the user the ability to authorize a scheme and port upgrade, which means an unsecured (http/80) redirection to a secure request (https/443). Of course, if the host is altered during the redirection, the check will still pass.

Additional informations

Before, a check of the same kind was made in Guzzle using the host only.

Possible Solution

Add an optional flag in the UriComparator::isCrossOrigin method.

I don't think we want to allow upgrade. It is a security mistake to send the confidential data over plain text then get upgraded to https. We also are mimicking how other major projects handle this, such as curl.

So maybe we should have the ability to fully bypass this check too ? In that case the issue is more linked to Guzzle itself, and no more linked to psr7.

I suppose this ability does exist if you implement and use your own redirect middleware without the cross-origin check. I am somewhat hesitant to build this natively into Guzzle, given how edge case this use case is, and how easy it is to use our middleware system to get custom behaviour.

You're right about it, that's in fact an edge case. I'll close the issue and the linked PR.

Thanks 👍