Privacy flaw with Shopify App Proxy

tussawin
New Member
1 0 1
The shopify store front app proxy is exposing URLs. If you visit the shopify store url without https:// or include a trailing slash in the URL, then instead of acting as a proxy shopify turns into a redirect and redirects to the proxy URL revealing the underlying website and opening that open to the public.

An example:
 https://proxy-bug.myshopify.com/a/page/ will load correctly.
 https://proxy-bug.myshopify.com/a/page will expose the underlying url of the proxy
 http://proxy-bug.myshopify.com/a/page will expose the underlying url of the proxy
 
This is a HUGE security flaw because ANYONE can see ANYONE's Proxy URL just by changing https:// to http://
 
Here is another forum post about the same issue that no one responded too...
 
Shopify can you please fix this...