anil.recoil.org
A batteries included HTTP/1.1 client in OCaml
1(*---------------------------------------------------------------------------
2 Copyright (c) 2025 Anil Madhavapeddy <anil@recoil.org>. All rights reserved.
3 SPDX-License-Identifier: ISC
4 ---------------------------------------------------------------------------*)
5
6(** Redirect handling and cross-origin security utilities
7
8 This module provides shared functions for handling HTTP redirects safely,
9 including cross-origin detection and sensitive header stripping. *)
10
11val src : Logs.src
12(** Logs source for this module *)
13
14(** {1 Cross-Origin Detection} *)
15
16val same_origin : Uri.t -> Uri.t -> bool
17(** [same_origin uri1 uri2] returns [true] if both URIs have the same origin.
18 Same origin means same host with same scheme, or http->https upgrade.
19 Used to determine if sensitive headers should be preserved during redirects. *)
20
21(** {1 Sensitive Header Protection} *)
22
23val strip_sensitive_headers : Headers.t -> Headers.t
24(** [strip_sensitive_headers headers] removes sensitive headers that should not
25 be sent to cross-origin destinations:
26 - Authorization
27 - Cookie
28 - Proxy-Authorization
29 - WWW-Authenticate *)
30
31(** {1 Redirect URL Validation} *)
32
33val allowed_schemes : string list
34(** List of allowed URL schemes for redirects: ["http"; "https"] *)
35
36val validate_url : string -> Uri.t
37(** [validate_url location] validates that the redirect URL uses an allowed scheme.
38 @raise Error.Invalid_redirect if scheme is not http or https *)