security fix for private headers that might be copied to a different origin on redirect in Apache

[vandonr]

What Does This Do

fixes issue reported in APMSP-3274

only copy the full headers when the original request and the redirect are same origin, otherwise, use the existing mechanism that only copies known headers.

Motivation

Additional Notes

the code to detect same origin was full AI written

Contributor Checklist

• Format the title according to the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any other useful labels
• Avoid using close, fix, or any linking keywords when referencing an issue
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, migration, or deletion
• Update public documentation with any new configuration flags or behaviors
• Add your completed PR to the merge queue by commenting /merge. You can also:
  • Customize the commit message associated with the merge with /merge --commit-message "..."
  • Remove your PR from the merge queue with /merge -c
  • Skip all merge queue checks with /merge -f --reason "reason"; please use this judiciously, as some checks do not run at the PR-level (note: the PR still needs to be mergeable, this will only skip the pre-merge build)
  • Get more information in this doc

Jira ticket: [PROJ-IDENT]

[dd-octo-sts]

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

• Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9071851aea

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[dd-octo-sts]

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite	Status
Startup	🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results

Scenario	Candidate	master	Δ (95% CI of mean)
startup:insecure-bank:iast:Agent	14.03 s	13.95 s	[-0.2%; +1.2%] (no difference)
startup:insecure-bank:tracing:Agent	12.92 s	12.96 s	[-1.0%; +0.5%] (no difference)
startup:petclinic:appsec:Agent	16.89 s	16.79 s	[-0.2%; +1.4%] (no difference)
startup:petclinic:iast:Agent	16.89 s	16.89 s	[-0.8%; +0.9%] (no difference)
startup:petclinic:profiling:Agent	16.55 s	16.83 s	[-2.7%; -0.7%] (maybe better)
startup:petclinic:sca:Agent	16.92 s	16.71 s	[+0.5%; +1.9%] (maybe worse)
startup:petclinic:tracing:Agent	15.58 s	16.08 s	[-7.3%; +1.1%] (no difference)

Commit: f7025272 · CI Pipeline · Benchmarking Platform UI

---

Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

[vandonr]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. You're on a roll.

Reviewed commit: f7025272a0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".