SA Bugzilla – Bug 8108
DecodeShortURLs should include sec-fetch-mode header in requests
Last modified: 2023-01-20 13:54:04 UTC
Certain redirectors, notably fb.me, refuse to return a 302 unless the request header sec-fetch-mode is included, with a value of navigate. Compare: curl -A "Mozilla/5.0 (Windows NT 10.0; Win64 ;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36)" -I https://fb.me/e/2niFUdfPy/ Which returns a 200, with: curl -A "Mozilla/5.0 (Windows NT 10.0; Win64 ;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36)" -H 'sec-fetch-mode: navigate' -I https://fb.me/e/2niFUdfPy/ Which returns the expected and desired 302. I propose the sec-fetch-mode header is included in all requests made by DecodeShortURLs, as I see no harm in doing so. This will help further mask them as browser requests, which is already the goal with spoofing the UA.