Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug]: Firecamp send an "HTTPS" request even if the URL starts with "HTTP:// #243

Open
om3rcitak opened this issue Sep 16, 2024 · 4 comments
Open

[bug]: Firecamp send an "HTTPS" request even if the URL starts with "HTTP:// #243

om3rcitak opened this issue Sep 16, 2024 · 4 comments

Comments

@om3rcitak
Copy link

Describe the bug
Firecamp is trying to send an "HTTPS" request even if the URL starts with "HTTP://".

To Reproduce

  1. Paste any URL which starts with "http://" into URL input
  2. Click the "send" button

Expected behavior
Send a HTTP request if the URL starts with "http://"

Screenshots
Screenshot 2024-09-16 102943

Desktop:

  • OS: Windows 11
  • Browser: Chrome
  • Version: 127.0.6533.120 (Official Build) (64-bit)
@Its-kushal
Copy link

Hello, @om3rcitak

I would like to work on this bug.

Please assign me this issue. I will fix this as soon as possible.

@machimozor
Copy link

Hey can you assigne this issue ?

Sebb955 added a commit to Sebb955/firecamp that referenced this issue Nov 13, 2024
@Sebb955
CORS deactivation firecamp-dev#243
649e50c
@Sebb955 Sebb955 mentioned this issue Nov 13, 2024
Open
@mdotwills
Copy link

Yep, noticed this bug too and came here to check the issues

@mdotwills
Copy link

So had a quick look into this. For me, when using firecamp in the browser, the Content Security Policy upgrade-insecure-requests directive seems to be the offending party here (doing what it's supposed to do!)

firecamp/templates/index.html

Lines 40 to 43 in abfc292

<meta
http-equiv="Content-Security-Policy"
content="upgrade-insecure-requests"
/>

I think the original commit author was under an incorrect assumption that adding this directive would allow http requests, judging from this commit message.

From MDN

The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS).

Removing this line from the template file allowed me to make requests locally via http successfully. This is something I would expect an API workbench like firecamp to be able to do. Might pull together a PR but it would require some input about toggling the CSP features on/off as there may be other security tradeoffs involved.

mdotwills added a commit to mdotwills/firecamp that referenced this issue Jan 17, 2025
@mdotwills
fix(): Allow http requests to be made from browser context
de872d4 
Raised in firecamp-dev#243

Previously, it was not possible to make a http request from the web client as
the request would be transparently upgraded to https. This was consequence of
an applied content security policy header with a directive to upgrade insecure
requests.

This change removes this CSP tag, meaning http requests are no longer forcibly
upgraded.
@mdotwills mdotwills mentioned this issue Jan 17, 2025
Open
Sebb955 added a commit to Sebb955/firecamp that referenced this issue Jan 21, 2025
@Sebb955
CORS deactivation firecamp-dev#243
e10b464
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@om3rcitak @mdotwills @machimozor @Its-kushal