deprecation of safe_conversion in iri_to_uri breaks itms-services: URIs
#2691
Comments
|
Please provide official documentation about the format of the |
|
You can also use direct links instead of redirects: <a href="itms-services:...">Click here to install the app.</a>Or a native UI button, etc. This does not require a redirect to navigate to. |
|
And as the linked PR mentions, please report this as a bug in |
|
Here is a link to the Apple documentation (look for the "Use a website to distribute the app" section). The main issue is that I generate a unique link with a short lived token in order to allow the download. This is generated by the backend and a redirect is done over to the itms-services link. |
|
At the end of the day though, if you're using the same value for the <a href="itms-services://?action=download-manifest&url=https://example.com/manifest.plist&token=abcde">Download</a>token = request.args["token"]
if signer.loads(token, max_age=600):
return send_file("manifest.plist")
else:
abort(401)Now the direct link is guarded by a token, rather than only protecting the initial link but not the real URI. |
|
Not quite - I generate a random token which expires after say 10 seconds - just enough to redirect and validate it. Thats currently generated when you click an install button, and its currently a simple redirect over to that link which that installs the app associated with the token. Any attempt to reuse that token or use it after its expired returns invalid. I can of course re-write it and do it totally differently but this has been working nicely since about 2010. |
|
Did you report this to Python? |
|
Basically, this one (invalid?) URI scheme that's unlikely to be used in most applications requires extra code on every single response, which is not great. It requires a call to I'm open to fixing this, but it could either be fixed in Python for everyone, or we could figure out a lower impact solution. I don't plan to undeprecate the original solution. |
|
Would it be possible to implement a flag on the response to just pass the redirect url through unchanged - would be more than happy to default that to no and just have an exception path which may well be slower for that as as you mentioned, its only a very tiny number of urls that would be affected. |
|
That's the other idea I mention in the linked issue. It would be nice if |
davidism
changed the title
safe_conversion in iri_to_uri breaks itms-services: URIs
|
It looks like you haven't reported this to Python yet. Please create an issue https://github.com/python/cpython/issues/ and link it here so I can see that it's been reported upstream and track that. |
|
For now, I will add back in the special case for the location header, but keep the parameter itself deprecated. In 2.4 I will add in an attribute like |
itms-services whilst undocumented is a validly used scheme and is used to install Enterprise or Ad-Hoc iOS Apps.
The fix for issue #2609 breaks this.
The text was updated successfully, but these errors were encountered: