react-native-windows 0.69.7 → 0.69.9

package/Shared/Networking/OriginPolicyHttpFilter.cpp

@@ -11,9 +11,6 @@
 #include <boost/algorithm/string.hpp>
 #include <boost/lexical_cast/try_lexical_convert.hpp>
 
-// Windows API
-#include <winrt/Windows.Web.Http.Headers.h>
-
 // Standard Library
 #include <queue>
 #include <regex>
@@ -27,6 +24,7 @@ using winrt::to_hstring;
 using winrt::Windows::Foundation::IInspectable;
 using winrt::Windows::Foundation::IPropertyValue;
 using winrt::Windows::Foundation::Uri;
+using winrt::Windows::Foundation::Collections::IMap;
 using winrt::Windows::Web::Http::HttpMethod;
 using winrt::Windows::Web::Http::HttpRequestMessage;
 using winrt::Windows::Web::Http::HttpResponseMessage;
@@ -118,7 +116,7 @@ bool OriginPolicyHttpFilter::ConstWcharComparer::operator()(const wchar_t *a, co
 }
 
 /*static*/ bool OriginPolicyHttpFilter::IsSameOrigin(Uri const &u1, Uri const &u2) noexcept {
-  return u1.SchemeName() == u2.SchemeName() && u1.Host() == u2.Host() && u1.Port() == u2.Port();
+  return (u1 && u2) && u1.SchemeName() == u2.SchemeName() && u1.Host() == u2.Host() && u1.Port() == u2.Port();
 }
 
 /*static*/ bool OriginPolicyHttpFilter::IsSimpleCorsRequest(HttpRequestMessage const &request) noexcept {
@@ -373,7 +371,7 @@ bool OriginPolicyHttpFilter::ConstWcharComparer::operator()(const wchar_t *a, co
   }
 }
 
-OriginPolicyHttpFilter::OriginPolicyHttpFilter(IHttpFilter &&innerFilter) : m_innerFilter{std::move(innerFilter)} {}
+OriginPolicyHttpFilter::OriginPolicyHttpFilter(IHttpFilter const &innerFilter) : m_innerFilter{innerFilter} {}
 
 OriginPolicyHttpFilter::OriginPolicyHttpFilter()
     : OriginPolicyHttpFilter(winrt::Windows::Web::Http::Filters::HttpBaseProtocolFilter{}) {}
@@ -442,21 +440,24 @@ OriginPolicy OriginPolicyHttpFilter::ValidateRequest(HttpRequestMessage const &r
 void OriginPolicyHttpFilter::ValidateAllowOrigin(
     hstring const &allowedOrigin,
     hstring const &allowCredentials,
-    IInspectable const &iRequestArgs) const {
+    IMap<hstring, IInspectable> props) const {
   // 4.10.1-2 - null allow origin
   if (L"null" == allowedOrigin)
     throw hresult_error{
         E_INVALIDARG,
         L"Response header Access-Control-Allow-Origin has a value of [null] which differs from the supplied origin"};
 
-  bool withCredentials = iRequestArgs.as<RequestArgs>()->WithCredentials;
+  bool withCredentials = props.Lookup(L"RequestArgs").as<RequestArgs>()->WithCredentials;
   // 4.10.3 - valid wild card allow origin
   if (!withCredentials && L"*" == allowedOrigin)
     return;
 
   // We assume the source (request) origin is not "*", "null", or empty string. Valid URI is expected
   // 4.10.4 - Mismatched allow origin
-  if (allowedOrigin.empty() || !IsSameOrigin(s_origin, Uri{allowedOrigin})) {
+  auto taintedOriginProp = props.TryLookup(L"TaintedOrigin");
+  auto taintedOrigin = taintedOriginProp && winrt::unbox_value<bool>(taintedOriginProp);
+  auto origin = taintedOrigin ? nullptr : s_origin;
+  if (allowedOrigin.empty() || !IsSameOrigin(origin, Uri{allowedOrigin})) {
     hstring errorMessage;
     if (allowedOrigin.empty())
       errorMessage = L"No valid origin in response";
@@ -510,14 +511,14 @@ void OriginPolicyHttpFilter::ValidatePreflightResponse(
 
   auto controlValues = ExtractAccessControlValues(response.Headers());
 
-  auto iRequestArgs = request.Properties().Lookup(L"RequestArgs");
+  auto props = request.Properties();
   // Check if the origin is allowed in conjuction with the withCredentials flag
   // CORS preflight should always exclude credentials although the subsequent CORS request may include credentials.
-  ValidateAllowOrigin(controlValues.AllowedOrigin, controlValues.AllowedCredentials, iRequestArgs);
+  ValidateAllowOrigin(controlValues.AllowedOrigin, controlValues.AllowedCredentials, props);
 
   // See https://fetch.spec.whatwg.org/#cors-preflight-fetch, section 4.8.7.5
   // Check if the request method is allowed
-  bool withCredentials = iRequestArgs.as<RequestArgs>()->WithCredentials;
+  bool withCredentials = props.Lookup(L"RequestArgs").as<RequestArgs>()->WithCredentials;
   bool requestMethodAllowed = false;
   for (const auto &method : controlValues.AllowedMethods) {
     if (L"*" == method) {
@@ -578,8 +579,8 @@ void OriginPolicyHttpFilter::ValidateResponse(HttpResponseMessage const &respons
   if (originPolicy == OriginPolicy::SimpleCrossOriginResourceSharing ||
       originPolicy == OriginPolicy::CrossOriginResourceSharing) {
     auto controlValues = ExtractAccessControlValues(response.Headers());
-    auto withCredentials =
-        response.RequestMessage().Properties().Lookup(L"RequestArgs").try_as<RequestArgs>()->WithCredentials;
+    auto props = response.RequestMessage().Properties();
+    auto withCredentials = props.Lookup(L"RequestArgs").try_as<RequestArgs>()->WithCredentials;
 
     if (GetRuntimeOptionBool("Http.StrictOriginCheckSimpleCors") &&
         originPolicy == OriginPolicy::SimpleCrossOriginResourceSharing) {
@@ -594,8 +595,7 @@ void OriginPolicyHttpFilter::ValidateResponse(HttpResponseMessage const &respons
         throw hresult_error{E_INVALIDARG, L"The server does not support CORS or the origin is not allowed"};
       }
     } else {
-      auto iRequestArgs = response.RequestMessage().Properties().Lookup(L"RequestArgs");
-      ValidateAllowOrigin(controlValues.AllowedOrigin, controlValues.AllowedCredentials, iRequestArgs);
+      ValidateAllowOrigin(controlValues.AllowedOrigin, controlValues.AllowedCredentials, props);
     }
 
     if (originPolicy == OriginPolicy::SimpleCrossOriginResourceSharing) {
@@ -678,6 +678,38 @@ ResponseOperation OriginPolicyHttpFilter::SendPreflightAsync(HttpRequestMessage
   co_return {co_await m_innerFilter.SendRequestAsync(preflightRequest)};
 }
 
+#pragma region IRedirectEventSource
+
+bool OriginPolicyHttpFilter::OnRedirecting(
+    HttpRequestMessage const &request,
+    HttpResponseMessage const &response) noexcept {
+  // Consider the following scenario.
+  // User signs in to http://a.com and visits a page that makes CORS request to http://b.com with origin=http://a.com.
+  // Http://b.com reponds with a redirect to http://a.com. The browser follows the redirect to http://a.com with
+  // origin=http://a.com. Since the origin matches the URL, the request is authorized at http://a.com, but it actually
+  // allows http://b.com to bypass the CORS check at http://a.com since the redirected URL is from http://b.com.
+  if (!IsSameOrigin(response.Headers().Location(), request.RequestUri()) &&
+      !IsSameOrigin(s_origin, request.RequestUri())) {
+    // By masking the origin field in the request header, we make it impossible for the server to set a single value for
+    // the access-control-allow-origin header. It means, the only way to support redirect is that server allows access
+    // from all sites through wildcard.
+    request.Headers().Insert(L"Origin", L"null");
+
+    auto props = request.Properties();
+    // Look for 'RequestArgs' key to ensure we are redirecting the main request.
+    if (auto iReqArgs = props.TryLookup(L"RequestArgs")) {
+      props.Insert(L"TaintedOrigin", winrt::box_value(true));
+    } else {
+      // Abort redirection if the request is either preflight or extraneous.
+      return false;
+    }
+  }
+
+  return true;
+}
+
+#pragma endregion IRedirectEventSource
+
 #pragma region IHttpFilter
 
 ResponseOperation OriginPolicyHttpFilter::SendRequestAsync(HttpRequestMessage const &request) {

package/Shared/Networking/OriginPolicyHttpFilter.h

@@ -3,11 +3,14 @@
 
 #pragma once
 
+#include "IRedirectEventSource.h"
 #include "OriginPolicy.h"
 
 // Windows API
+#include <winrt/Windows.Foundation.Collections.h>
 #include <winrt/Windows.Foundation.h>
 #include <winrt/Windows.Web.Http.Filters.h>
+#include <winrt/Windows.Web.Http.Headers.h>
 #include <winrt/Windows.Web.Http.h>
 
 // Standard Library
@@ -16,7 +19,8 @@
 namespace Microsoft::React::Networking {
 
 class OriginPolicyHttpFilter
-    : public winrt::implements<OriginPolicyHttpFilter, winrt::Windows::Web::Http::Filters::IHttpFilter> {
+    : public winrt::
+          implements<OriginPolicyHttpFilter, winrt::Windows::Web::Http::Filters::IHttpFilter, IRedirectEventSource> {
  public:
   struct ConstWcharComparer {
     bool operator()(const wchar_t *, const wchar_t *) const;
@@ -75,7 +79,7 @@ class OriginPolicyHttpFilter
       winrt::Windows::Web::Http::HttpResponseMessage const &response,
       bool removeAll);
 
-  OriginPolicyHttpFilter(winrt::Windows::Web::Http::Filters::IHttpFilter &&innerFilter);
+  OriginPolicyHttpFilter(winrt::Windows::Web::Http::Filters::IHttpFilter const &innerFilter);
 
   OriginPolicyHttpFilter();
 
@@ -92,13 +96,22 @@ class OriginPolicyHttpFilter
   void ValidateAllowOrigin(
       winrt::hstring const &allowedOrigin,
       winrt::hstring const &allowCredentials,
-      winrt::Windows::Foundation::IInspectable const &iArgs) const;
+      winrt::Windows::Foundation::Collections::IMap<winrt::hstring, winrt::Windows::Foundation::IInspectable> props)
+      const;
 
   winrt::Windows::Foundation::IAsyncOperationWithProgress<
       winrt::Windows::Web::Http::HttpResponseMessage,
       winrt::Windows::Web::Http::HttpProgress>
   SendPreflightAsync(winrt::Windows::Web::Http::HttpRequestMessage const &request) const;
 
+#pragma region IRedirectEventSource
+
+  bool OnRedirecting(
+      winrt::Windows::Web::Http::HttpRequestMessage const &request,
+      winrt::Windows::Web::Http::HttpResponseMessage const &response) noexcept override;
+
+#pragma endregion IRedirectEventSource
+
 #pragma region IHttpFilter
 
   winrt::Windows::Foundation::IAsyncOperationWithProgress<

package/Shared/Networking/RedirectHttpFilter.cpp

@@ -0,0 +1,283 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+#undef WINRT_LEAN_AND_MEAN
+
+#include "RedirectHttpFilter.h"
+
+#include "WinRTTypes.h"
+
+// Windows API
+#include <winapifamily.h>
+#include <winrt/Windows.Web.Http.Headers.h>
+#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
+#include <WinInet.h>
+#else
+#define INTERNET_ERROR_BASE 12000
+#define ERROR_HTTP_REDIRECT_FAILED (INTERNET_ERROR_BASE + 156)
+#endif
+
+namespace {
+constexpr size_t DefaultMaxRedirects = 20;
+} // namespace
+
+using winrt::Windows::Foundation::Uri;
+using winrt::Windows::Foundation::Collections::IVector;
+using winrt::Windows::Security::Credentials::PasswordCredential;
+using winrt::Windows::Security::Cryptography::Certificates::Certificate;
+using winrt::Windows::Security::Cryptography::Certificates::ChainValidationResult;
+using winrt::Windows::Web::Http::HttpMethod;
+using winrt::Windows::Web::Http::HttpRequestMessage;
+using winrt::Windows::Web::Http::HttpResponseMessage;
+using winrt::Windows::Web::Http::HttpStatusCode;
+using winrt::Windows::Web::Http::Filters::IHttpBaseProtocolFilter;
+using winrt::Windows::Web::Http::Filters::IHttpFilter;
+
+namespace Microsoft::React::Networking {
+
+#pragma region RedirectHttpFilter
+
+RedirectHttpFilter::RedirectHttpFilter(
+    size_t maxRedirects,
+    IHttpFilter &&innerFilter,
+    IHttpFilter &&innerFilterWithNoCredentials) noexcept
+    : m_maximumRedirects{maxRedirects},
+      m_innerFilter{std::move(innerFilter)},
+      m_innerFilterWithNoCredentials{std::move(innerFilterWithNoCredentials)} {
+  // Prevent automatic redirections.
+  if (auto baseFilter = m_innerFilter.try_as<IHttpBaseProtocolFilter>()) {
+    baseFilter.AllowAutoRedirect(false);
+    baseFilter.AllowUI(false);
+  }
+  if (auto baseFilter = m_innerFilterWithNoCredentials.try_as<IHttpBaseProtocolFilter>()) {
+    baseFilter.AllowAutoRedirect(false);
+    baseFilter.AllowUI(false);
+  }
+}
+
+RedirectHttpFilter::RedirectHttpFilter(IHttpFilter &&innerFilter, IHttpFilter &&innerFilterWithNoCredentials) noexcept
+    : RedirectHttpFilter(DefaultMaxRedirects, std::move(innerFilter), std::move(innerFilterWithNoCredentials)) {}
+
+RedirectHttpFilter::RedirectHttpFilter() noexcept
+    : RedirectHttpFilter(
+          winrt::Windows::Web::Http::Filters::HttpBaseProtocolFilter{},
+          winrt::Windows::Web::Http::Filters::HttpBaseProtocolFilter{}) {}
+
+void RedirectHttpFilter::SetRequestFactory(std::weak_ptr<IWinRTHttpRequestFactory> factory) noexcept {
+  m_requestFactory = factory;
+}
+
+void RedirectHttpFilter::SetRedirectSource(
+    winrt::com_ptr<Microsoft::React::Networking::IRedirectEventSource> const &eventSrc) noexcept {
+  m_redirEventSrc = eventSrc;
+}
+
+#pragma region IHttpBaseProtocolFilter
+
+bool RedirectHttpFilter::AllowAutoRedirect() const {
+  return m_allowAutoRedirect;
+}
+
+void RedirectHttpFilter::AllowAutoRedirect(bool value) {
+  m_allowAutoRedirect = value;
+}
+
+bool RedirectHttpFilter::AllowUI() const {
+  return false;
+}
+void RedirectHttpFilter::AllowUI(bool /*value*/) const {
+  throw winrt::hresult_error{HRESULT_FROM_WIN32(ERROR_NOT_SUPPORTED)};
+}
+
+bool RedirectHttpFilter::AutomaticDecompression() const {
+  if (auto baseFilter = m_innerFilter.try_as<IHttpBaseProtocolFilter>()) {
+    return baseFilter.AutomaticDecompression();
+  }
+
+  return false;
+}
+void RedirectHttpFilter::AutomaticDecompression(bool value) const {
+  if (auto baseFilter = m_innerFilter.try_as<IHttpBaseProtocolFilter>()) {
+    baseFilter.AutomaticDecompression(value);
+  }
+}
+
+winrt::Windows::Web::Http::Filters::HttpCacheControl RedirectHttpFilter::CacheControl() const {
+  if (auto baseFilter = m_innerFilter.try_as<IHttpBaseProtocolFilter>()) {
+    return baseFilter.CacheControl();
+  }
+
+  return nullptr;
+}
+
+winrt::Windows::Web::Http::HttpCookieManager RedirectHttpFilter::CookieManager() const {
+  if (auto baseFilter = m_innerFilter.try_as<IHttpBaseProtocolFilter>()) {
+    return baseFilter.CookieManager();
+  }
+
+  return nullptr;
+}
+
+Certificate RedirectHttpFilter::ClientCertificate() const {
+  if (auto baseFilter = m_innerFilter.try_as<IHttpBaseProtocolFilter>()) {
+    return baseFilter.ClientCertificate();
+  }
+
+  return nullptr;
+}
+void RedirectHttpFilter::ClientCertificate(Certificate const &value) const {
+  if (auto baseFilter = m_innerFilter.try_as<IHttpBaseProtocolFilter>()) {
+    baseFilter.ClientCertificate(value);
+  }
+}
+
+IVector<ChainValidationResult> RedirectHttpFilter::IgnorableServerCertificateErrors() const {
+  if (auto baseFilter = m_innerFilter.try_as<IHttpBaseProtocolFilter>()) {
+    return baseFilter.IgnorableServerCertificateErrors();
+  }
+
+  return nullptr;
+}
+
+uint32_t RedirectHttpFilter::MaxConnectionsPerServer() const {
+  if (auto baseFilter = m_innerFilter.try_as<IHttpBaseProtocolFilter>()) {
+    return baseFilter.MaxConnectionsPerServer();
+  }
+
+  return 0;
+}
+void RedirectHttpFilter::MaxConnectionsPerServer(uint32_t value) const {
+  if (auto baseFilter = m_innerFilter.try_as<IHttpBaseProtocolFilter>()) {
+    baseFilter.MaxConnectionsPerServer(value);
+  }
+}
+
+PasswordCredential RedirectHttpFilter::ProxyCredential() const {
+  if (auto baseFilter = m_innerFilter.try_as<IHttpBaseProtocolFilter>()) {
+    return baseFilter.ProxyCredential();
+  }
+
+  return nullptr;
+}
+void RedirectHttpFilter::ProxyCredential(PasswordCredential const &value) const {
+  if (auto baseFilter = m_innerFilter.try_as<IHttpBaseProtocolFilter>()) {
+    baseFilter.ProxyCredential(value);
+  }
+}
+
+PasswordCredential RedirectHttpFilter::ServerCredential() const {
+  if (auto baseFilter = m_innerFilter.try_as<IHttpBaseProtocolFilter>()) {
+    return baseFilter.ServerCredential();
+  }
+
+  return nullptr;
+}
+void RedirectHttpFilter::ServerCredential(PasswordCredential const &value) const {
+  if (auto baseFilter = m_innerFilter.try_as<IHttpBaseProtocolFilter>()) {
+    baseFilter.ServerCredential(value);
+  }
+}
+
+bool RedirectHttpFilter::UseProxy() const {
+  if (auto baseFilter = m_innerFilter.try_as<IHttpBaseProtocolFilter>()) {
+    return baseFilter.UseProxy();
+  }
+
+  return false;
+}
+void RedirectHttpFilter::UseProxy(bool value) const {
+  if (auto baseFilter = m_innerFilter.try_as<IHttpBaseProtocolFilter>()) {
+    baseFilter.UseProxy(value);
+  }
+}
+
+#pragma endregion IHttpBaseProtocolFilter
+
+#pragma region IHttpFilter
+
+///
+/// See https://github.com/dotnet/corefx/pull/22702
+ResponseOperation RedirectHttpFilter::SendRequestAsync(HttpRequestMessage const &request) {
+  size_t redirectCount = 0;
+  HttpMethod method{nullptr};
+  HttpResponseMessage response{nullptr};
+
+  auto coRequest = request;
+  auto coAllowAutoRedirect = m_allowAutoRedirect;
+  auto coMaxRedirects = m_maximumRedirects;
+  auto coRequestFactory = m_requestFactory;
+  auto coEventSrc = m_redirEventSrc;
+
+  method = coRequest.Method();
+
+  do {
+    // Send subsequent requests through the filter that doesn't have the credentials included in the first request
+    response =
+        co_await (redirectCount > 0 ? m_innerFilterWithNoCredentials : m_innerFilter).SendRequestAsync(coRequest);
+
+    // Stop redirecting when a non-redirect status is responded.
+    if (response.StatusCode() != HttpStatusCode::MultipleChoices &&
+        response.StatusCode() != HttpStatusCode::MovedPermanently &&
+        response.StatusCode() != HttpStatusCode::Found && // Redirect
+        response.StatusCode() != HttpStatusCode::SeeOther && // RedirectMethod
+        response.StatusCode() != HttpStatusCode::TemporaryRedirect && // RedirectKeepVerb
+        response.StatusCode() != HttpStatusCode::PermanentRedirect) {
+      break;
+    }
+
+    redirectCount++;
+    if (redirectCount > coMaxRedirects) {
+      throw winrt::hresult_error{HRESULT_FROM_WIN32(ERROR_HTTP_REDIRECT_FAILED), L"Too many redirects"};
+    }
+
+    // Call event source's OnRedirecting before modifying request parameters.
+    if (coEventSrc && !coEventSrc->OnRedirecting(coRequest, response)) {
+      break;
+    }
+
+    if (auto requestFactory = coRequestFactory.lock()) {
+      coRequest =
+          co_await requestFactory->CreateRequest(HttpMethod{method}, coRequest.RequestUri(), coRequest.Properties());
+
+      if (!coRequest) {
+        throw winrt::hresult_error{E_INVALIDARG, L"Invalid request handle"};
+      }
+    }
+
+    auto redirectUri = Uri{response.Headers().Location().AbsoluteUri()};
+    if (!redirectUri) {
+      break;
+    }
+
+    if (redirectUri.SchemeName() != L"http" && redirectUri.SchemeName() != L"https") {
+      break;
+    }
+
+    // Do not "downgrade" from HTTPS to HTTP
+    if (coRequest.RequestUri().SchemeName() == L"https" && redirectUri.SchemeName() == L"http") {
+      break;
+    }
+
+    /// See https://github.com/dotnet/corefx/blob/v3.1.28/src/System.Net.Http/src/uap/System/Net/HttpClientHandler.cs
+    // Follow HTTP RFC 7231 rules. In general, 3xx responses
+    // except for 307 and 308 will keep verb except POST becomes GET.
+    // 307 and 308 responses have all verbs stay the same.
+    // https://tools.ietf.org/html/rfc7231#section-6.4
+    if (response.StatusCode() != HttpStatusCode::TemporaryRedirect &&
+        response.StatusCode() != HttpStatusCode::PermanentRedirect && method != HttpMethod::Post()) {
+      method = HttpMethod::Get();
+    }
+
+    coRequest.RequestUri(redirectUri);
+  } while (coAllowAutoRedirect);
+
+  response.RequestMessage(coRequest);
+
+  co_return response;
+}
+
+#pragma endregion IHttpFilter
+
+#pragma endregion RedirectHttpFilter
+
+} // namespace Microsoft::React::Networking

package/Shared/Networking/RedirectHttpFilter.h

@@ -0,0 +1,97 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+#pragma once
+
+#include <winrt/base.h>
+#include "IRedirectEventSource.h"
+#include "IWinRTHttpRequestFactory.h"
+
+// Windows API
+#include <winrt/Windows.Foundation.Collections.h>
+#include <winrt/Windows.Security.Credentials.h>
+#include <winrt/Windows.Security.Cryptography.Certificates.h>
+#include <winrt/Windows.Web.Http.Filters.h>
+#include <winrt/Windows.Web.Http.h>
+
+namespace Microsoft::React::Networking {
+
+class RedirectHttpFilter : public winrt::implements<
+                               RedirectHttpFilter,
+                               winrt::Windows::Web::Http::Filters::IHttpFilter,
+                               winrt::Windows::Web::Http::Filters::IHttpBaseProtocolFilter> {
+  // See
+  // https://github.com/dotnet/corefx/pull/22702/files#diff-53f0c1940c6bec8054a95caac33680306aa6ab13ac48c9a8c9df013d3bc29d15R30
+  //  We need two different WinRT filters because we need to remove credentials during redirection requests
+  //  and WinRT doesn't allow changing the filter properties after the first request.
+  winrt::Windows::Web::Http::Filters::IHttpFilter m_innerFilter;
+  winrt::Windows::Web::Http::Filters::IHttpFilter m_innerFilterWithNoCredentials;
+
+  std::weak_ptr<IWinRTHttpRequestFactory> m_requestFactory;
+  winrt::com_ptr<Microsoft::React::Networking::IRedirectEventSource> m_redirEventSrc;
+  bool m_allowAutoRedirect{true};
+  size_t m_maximumRedirects;
+
+ public:
+  RedirectHttpFilter(
+      size_t maxRedirects,
+      winrt::Windows::Web::Http::Filters::IHttpFilter &&innerFilter,
+      winrt::Windows::Web::Http::Filters::IHttpFilter &&innerFilterWithNoCredentials) noexcept;
+
+  RedirectHttpFilter(
+      winrt::Windows::Web::Http::Filters::IHttpFilter &&innerFilter,
+      winrt::Windows::Web::Http::Filters::IHttpFilter &&innerFilterWithNoCredentials) noexcept;
+
+  RedirectHttpFilter() noexcept;
+
+  void SetRequestFactory(std::weak_ptr<IWinRTHttpRequestFactory> factory) noexcept;
+
+  void SetRedirectSource(winrt::com_ptr<Microsoft::React::Networking::IRedirectEventSource> const &eventSrc) noexcept;
+
+#pragma region IHttpFilter
+
+  winrt::Windows::Foundation::IAsyncOperationWithProgress<
+      winrt::Windows::Web::Http::HttpResponseMessage,
+      winrt::Windows::Web::Http::HttpProgress>
+  SendRequestAsync(winrt::Windows::Web::Http::HttpRequestMessage const &request);
+
+#pragma endregion IHttpFilter
+
+#pragma region IHttpBaseProtocolFilter
+
+  bool AllowAutoRedirect() const;
+  void AllowAutoRedirect(bool value);
+
+  bool AllowUI() const;
+  void AllowUI(bool value) const;
+
+  bool AutomaticDecompression() const;
+  void AutomaticDecompression(bool value) const;
+
+  winrt::Windows::Web::Http::Filters::HttpCacheControl CacheControl() const;
+
+  winrt::Windows::Web::Http::HttpCookieManager CookieManager() const;
+
+  winrt::Windows::Security::Cryptography::Certificates::Certificate ClientCertificate() const;
+  void ClientCertificate(winrt::Windows::Security::Cryptography::Certificates::Certificate const &value) const;
+
+  winrt::Windows::Foundation::Collections::IVector<
+      winrt::Windows::Security::Cryptography::Certificates::ChainValidationResult>
+  IgnorableServerCertificateErrors() const;
+
+  uint32_t MaxConnectionsPerServer() const;
+  void MaxConnectionsPerServer(uint32_t value) const;
+
+  winrt::Windows::Security::Credentials::PasswordCredential ProxyCredential() const;
+  void ProxyCredential(winrt::Windows::Security::Credentials::PasswordCredential const &value) const;
+
+  winrt::Windows::Security::Credentials::PasswordCredential ServerCredential() const;
+  void ServerCredential(winrt::Windows::Security::Credentials::PasswordCredential const &value) const;
+
+  bool UseProxy() const;
+  void UseProxy(bool value) const;
+
+#pragma endregion IHttpBaseProtocolFilter
+};
+
+} // namespace Microsoft::React::Networking