8108 – DecodeShortURLs should include sec-fetch-mode header in requests

Bug 8108 - DecodeShortURLs should include sec-fetch-mode header in requests

Summary: DecodeShortURLs should include sec-fetch-mode header in requests

Status:	NEW

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Plugins (show other bugs)
Version:	4.0.0
Hardware:	PC Linux

Importance:	P3 enhancement
Target Milestone:	Undefined
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-01-20 13:44 UTC by Christer Mjellem Strand
Modified:	2023-01-20 13:54 UTC (History)
CC List:	1 user (show)

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christer Mjellem Strand 2023-01-20 13:44:06 UTC

Certain redirectors, notably fb.me, refuse to return a 302 unless the request header sec-fetch-mode is included, with a value of navigate.

Compare:

curl -A "Mozilla/5.0 (Windows NT 10.0; Win64 ;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36)" -I https://fb.me/e/2niFUdfPy/

Which returns a 200, with:

curl -A "Mozilla/5.0 (Windows NT 10.0; Win64 ;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36)" -H 'sec-fetch-mode: navigate' -I https://fb.me/e/2niFUdfPy/

Which returns the expected and desired 302.

I propose the sec-fetch-mode header is included in all requests made by DecodeShortURLs, as I see no harm in doing so. This will help further mask them as browser requests, which is already the goal with spoofing the UA.