requests allow_redirect will ignore HSTS(STRICT-TRANSPORT-SECURITY)

allow_redirect will ignore HSTS(STRICT-TRANSPORT-SECURITY)

Open zer0ty opened this issue 2 years ago • 0 comments

while a website set header STRICT-TRANSPORT-SECURITY, it means tell browser use https, but requests is not judged

Expected Result

sometimes, developer set 302 and redirect website to http . at the same time, someone config header with STRICT-TRANSPORT-SECURITY. To browser, this will be ok, but to requests, not able to access http://example.com because of use http protocol

Actual Result

Reproduction Steps

import requests
r = requests.get('exmaple.com', allow_redirect=True)
r.status_code ==> 502

In Chrome:
r.status_code == 200

System Information

$ python -m requests.help

{
  "chardet": {
    "version": "3.0.4"
  },
  "charset_normalizer": {
    "version": "2.0.12"
  },
  "cryptography": {
    "version": "37.0.2"
  },
  "idna": {
    "version": "2.6"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.10.2"
  },
  "platform": {
    "release": "10",
    "system": "Windows"
  },
  "pyOpenSSL": {
    "openssl_version": "30000030",
    "version": "22.0.0"
  },
  "requests": {
    "version": "2.27.1"
  },
  "system_ssl": {
    "version": "101010df"
  },
  "urllib3": {
    "version": "1.26.9"
  },
  "using_charset_normalizer": false,
  "using_pyopenssl": true
}

Aug 30 '22 09:08 zer0ty

requests requests copied to clipboard

allow_redirect will ignore HSTS(STRICT-TRANSPORT-SECURITY)

Expected Result

Actual Result

Reproduction Steps

System Information

requests
requests copied to clipboard