anil.recoil.org
A batteries included HTTP/1.1 client in OCaml
1(*---------------------------------------------------------------------------
2 Copyright (c) 2025 Anil Madhavapeddy <anil@recoil.org>. All rights reserved.
3 SPDX-License-Identifier: ISC
4 ---------------------------------------------------------------------------*)
5
6open Http
7
8(** Redirect handling and cross-origin security utilities
9
10 This module provides shared functions for handling HTTP redirects safely,
11 including cross-origin detection and sensitive header stripping. *)
12
13val src : Logs.src
14(** Logs source for this module. *)
15
16(** {1 Cross-Origin Detection} *)
17
18val same_origin : Uri.t -> Uri.t -> bool
19(** [same_origin uri1 uri2] returns [true] if both URIs have the same origin.
20 Same origin means same host with same scheme, or http->https upgrade. Used
21 to determine if sensitive headers should be preserved during redirects. *)
22
23(** {1 Sensitive Header Protection} *)
24
25val strip_sensitive_headers : Headers.t -> Headers.t
26(** [strip_sensitive_headers headers] removes sensitive headers that should not
27 be sent to cross-origin destinations:
28 - Authorization
29 - Cookie
30 - Proxy-Authorization
31 - WWW-Authenticate. *)
32
33(** {1 Redirect URL Validation} *)
34
35val allowed_schemes : string list
36(** List of allowed URL schemes for redirects: ["http"; "https"]. *)
37
38val validate_url : string -> Uri.t
39(** [validate_url location] validates that the redirect URL uses an allowed
40 scheme.
41 @raise Error.Invalid_redirect if scheme is not http or https. *)