mapbox-maps-android icon indicating copy to clipboard operation
mapbox-maps-android copied to clipboard
verified publisher icon mapbox

Upon on redirect(301) authentication header doesn't get removed

Open yliu342 opened this issue 3 months ago • 0 comments

Environment

  • Android OS version: 15
  • Devices affected:
  • Maps SDK Version: 11.8.1

Observed behavior and steps to reproduce

The http stack used in Mapbox does not strip out Authentication header upon on receiving a redirect (301). This is a huge security risk as the authentication token is leaked to 3rd party.

Expected behavior

Authentication header should be removed upon on redirect

Notes / preliminary analysis

Additional links and references

yliu342 avatar Oct 07 '25 01:10 yliu342