allowInsecureRedirect=false shoud not block http -> https

[PhilDay-CT]

Currently allowInsecureRedirect=false blocks any redirect that changes protocol. But a site that redirects from its http URL to its equivalent https URL is not being insecure, its increasing security.

The check should only be applied if the old protocol is https and the new protocol is http

[MikeMcC399]

@PhilDay-CT

• allowInsecureRedirect was introduced as a response to CVE-2023-28155. See PR feat: Add allowInsecureRedirect option #28 and v3.0.0.

Since both redirect directions are listed in the CVE-2023-28155 report, both would need to remain in place otherwise a new / repeat vulnerability would be generated.

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

[PhilDay-CT]

Thanks for the quick response Mike, that's a pain since it means that I have to expose https->http in order allow what still seems to me a legitimate http->https.