Webtop login redirects to unencrypted and unsafe location #7547
Description
After the login page, served under https://, Webtop response redirects the client to a clear-text URL, like http://<hostname>/webtop/. This clear-text redirect is considered dangerous by some browsers (e.g. some versions of Chrome) and the request is blocked.
Steps to reproduce
- Open the network console in the Browser
- Login on Webtop
Expected behavior
All requests transit over HTTPS
Actual behavior
The login request redirects to HTTP
12:01:13.690 POST
https://webtop.nethesis.it/webtop/login
[HTTP/2 302 312ms]
POST
scheme
https
host
webtop.nethesis.it
filename
/webtop/login
Indirizzo
2.119.67.170:443
Stato
302
VersioneHTTP/2
Trasferito7,40 kB (dim. 28,72 kB)
Referrer Policystrict-origin-when-cross-origin
Priorità richiestaHighest
Risoluzione DNSSistema
content-length
0
date
Tue, 08 Jul 2025 10:01:13 GMT
location
http://webtop.nethesis.it/webtop/
server
Apache
set-cookie
rememberMe=deleteMe; Path=/webtop; Max-Age=0; Expires=Mon, 07-Jul-2025 10:01:13 GMT; SameSite=lax
X-Firefox-Spdy
h2
x-robots-tag
none
Accept
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding
gzip, deflate, br, zstd
Accept-Language
en,it;q=0.5
Cache-Control
no-cache
Connection
keep-alive
Content-Length
114
Content-Type
application/x-www-form-urlencoded
Cookie
DID-***=W***
DNT
1
Host
webtop.nethesis.it
Origin
https://webtop.nethesis.it
Pragma
no-cache
Priority
u=0, i
Referer
https://webtop.nethesis.it/webtop/
Sec-Fetch-Dest
document
Sec-Fetch-Mode
navigate
Sec-Fetch-Site
same-origin
Sec-Fetch-User
?1
TE
trailers
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Components
- Webtop 1.4.3
See also
Discussion https://mattermost.nethesis.it/nethesis/pl/pg4yi5xnfby7dci617ae13455h
Thanks to Giuse, @NethNick
Metadata
Metadata
Assignees
Type
Projects
Status