Redirect issue - endpoint choice

[sayaHub]

Use case:

1. Service has all endpoints live (http, httpwww, https, httpswww)
2. http, httpwww and https endpoints are configure properly and immediately redirect to the secure eventual endpoint
3. httpswww downgrade before reaching the eventual secure endpoint

Even if we feed the scanner with a root endpoint that is secured and properly redirect to the eventual secure endpoint, tracker seems to set the canonical url to httpswww. Where there are httpswww configuration issues, it significantly impact the root domain scan result because the httpswww is chosen.

Question:
should Tracker choose to scan the secure root endpoint if Live instead of httpswww?

[obrien-j]

Can you point to an existing domain in this situation @sayaHub ?

Point 3 there seems to imply a secure endpoint is downgrading to an insecure path.. That feels pretty "wrong".

[sayaHub]

for point 3, we feel the same way, we don't understand why the configuration will be setup that way. We are trying to write up more about the right way to do redirection ...I ping you on slack about the domain example.

[obrien-j]

Example of a misconfigured redirection...

The logic of how pshtt chooses the 'best' endpoint to use could be changed, but it'd probably just be easier to fix the domains showing issues.

[sayaHub]

fyi, issue mentioned in original library :
cisagov/pshtt#89 (comment)