Skip to content

fix: skip upgrade-insecure-requests CSP for external HTTP backends#7714

Merged
lifeizhou-ap merged 1 commit intoblock:mainfrom
fresh3nough:fix/7692-external-backend-csp-upgrade
Mar 13, 2026
Merged

fix: skip upgrade-insecure-requests CSP for external HTTP backends#7714
lifeizhou-ap merged 1 commit intoblock:mainfrom
fresh3nough:fix/7692-external-backend-csp-upgrade

Conversation

@fresh3nough
Copy link
Contributor

@fresh3nough fresh3nough commented Mar 7, 2026

Summary

When an external goosed backend is configured with a plain HTTP URL, the CSP upgrade-insecure-requests directive causes Chromium to silently rewrite those requests to HTTPS. Since the remote server typically does not support TLS, the upgraded requests fail with "Error: Failed to fetch".

This change extracts the CSP building logic from main.ts into a dedicated, testable utility (ui/desktop/src/utils/csp.ts) and conditionally omits upgrade-insecure-requests when the external backend URL uses plain HTTP. Loopback addresses (127.0.0.1/localhost) are exempt from the upgrade per the CSP spec, so the built-in local backend is unaffected.

Type of Change

  • Bug fix
  • Refactor / Code quality
  • Tests

AI Assistance

  • This PR was created or reviewed with AI assistance

Testing

  • Unit tests added in ui/desktop/src/utils/__tests__/csp.test.ts covering:
    • buildConnectSrc: default sources, external origin inclusion/exclusion, invalid URL handling
    • shouldUpgradeInsecureRequests: HTTP vs HTTPS external backends, disabled/missing configs, edge cases
    • buildCSP: end-to-end CSP string generation with and without the upgrade directive
  • Manual testing: verified external HTTP backend no longer triggers "Failed to fetch"

Related Issues

Fixes #7692

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 7, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 536dd7a0de

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

@fresh3nough fresh3nough force-pushed the fix/7692-external-backend-csp-upgrade branch from 536dd7a to bebead0 Compare March 7, 2026 20:04
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 7, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bebead053e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

@fresh3nough
fix: skip upgrade-insecure-requests CSP for external HTTP backends
4dee596 
When an external goosed backend is configured with an HTTP URL,
the CSP upgrade-insecure-requests directive causes Chromium to
silently rewrite requests to HTTPS. Since the remote server
typically does not support TLS, the upgraded requests fail with
'Error: Failed to fetch'.

Loopback addresses (127.0.0.1/localhost) are exempt from the
upgrade per the CSP spec, so the built-in local backend is
unaffected.

This change extracts the CSP building logic into a testable
utility (csp.ts) and conditionally omits upgrade-insecure-requests
when the external backend URL uses plain HTTP.

Fixes: block#7692
Signed-off-by: fresh3nough <fresh3nough@users.noreply.github.com>
Signed-off-by: fre <anonwurcod@proton.me>
@fresh3nough fresh3nough force-pushed the fix/7692-external-backend-csp-upgrade branch from bebead0 to 4dee596 Compare March 7, 2026 20:09
lifeizhou-ap
lifeizhou-ap approved these changes Mar 13, 2026
View reviewed changes
Copy link
Collaborator

@lifeizhou-ap lifeizhou-ap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing this!

@lifeizhou-ap lifeizhou-ap added this pull request to the merge queue Mar 13, 2026
Merged via the queue into block:main with commit b475ecf Mar 13, 2026
20 checks passed
@fresh3nough
Copy link
Contributor Author

fresh3nough commented Mar 13, 2026

np!

lifeizhou-ap added a commit that referenced this pull request Mar 16, 2026
@lifeizhou-ap
Merge branch 'main' into lifei/simplify_onboarding_flow
9696662 
* main: (191 commits)
  fix: add tool_choice and parallel_tool_calls to chatgpt_codex provider (#7867)
  fix: tool confirmation handling for multiple requests (#7856)
  Remove dead OllamaSetup onboarding flow (#7861)
  fix: resolve tokio::sync::Mutex deadlock in recipe retry path (#7832)
  Upgrade Electron 40.6.0 → 41.0.0 (#7851)
  Only show up to 50 lines of source code (#7578)
  fix: stop writing without error when hitting broken pipe for goose session list (#7858)
  feat(acp): add session/set_mode handler (#7801)
  Keep messages in sync (#7850)
  More acp tools (#7843)
  fix: skip upgrade-insecure-requests CSP for external HTTP backends (#7714)
  fix(shell): prevent hang when command backgrounds a child process (#7689)
  Remove include from Cargo.toml in goose-mcp (#7838)
  Exit agent loop when tool call JSON fails to parse (#7840)
  chore: remove redundant husky prepare script (#7829)
  Add github actions workflow for unused deps (#7681)
  fix: prevent SSE connection drops from silently truncating responses (#7831)
  doc: Added notes in contribution guide for pnpm (#7833)
  add prefer-offline to pnpm config to skip unnecessary registry lookups (#7828)
  fix: remove dead read handler from DeveloperClient (#7821)
  ...
jh-block added a commit that referenced this pull request Mar 16, 2026
@jh-block
Merge branch 'main' into release/1.28.0
e450ac9 
* main: (65 commits)
  feat(otel): propagate session.id to spans and log records (#7490)
  fix(test): add env_lock to is_openai_reasoning_model tests (#7917)
  fix(acp): pass session_id when loading extensions so skills are discovered (#7868)
  updated canonical models (#7920)
  feat(autovisualiser): Migrate the autovisualiser extension to MCP Apps  (#7852)
  fix: add tool_choice and parallel_tool_calls to chatgpt_codex provider (#7867)
  fix: tool confirmation handling for multiple requests (#7856)
  Remove dead OllamaSetup onboarding flow (#7861)
  fix: resolve tokio::sync::Mutex deadlock in recipe retry path (#7832)
  Upgrade Electron 40.6.0 → 41.0.0 (#7851)
  Only show up to 50 lines of source code (#7578)
  fix: stop writing without error when hitting broken pipe for goose session list (#7858)
  feat(acp): add session/set_mode handler (#7801)
  Keep messages in sync (#7850)
  More acp tools (#7843)
  fix: skip upgrade-insecure-requests CSP for external HTTP backends (#7714)
  fix(shell): prevent hang when command backgrounds a child process (#7689)
  Remove include from Cargo.toml in goose-mcp (#7838)
  Exit agent loop when tool call JSON fails to parse (#7840)
  chore: remove redundant husky prepare script (#7829)
  ...
@github-actions github-actions bot mentioned this pull request Mar 16, 2026
Open
wpfleger96 added a commit that referenced this pull request Mar 16, 2026
@wpfleger96
Merge remote-tracking branch 'origin/main' into wpfleger/databricks-t…
bde8d9c 
…oken-retry

* origin/main: (21 commits)
  Remove java/.ai-usage-marker directory (#7925)
  test(acp): add terminal delegation fixtures and fix shell singleton (#7923)
  fix: bump pctx_code_mode to 0.3.0 for iterator type checking fix (#7892)
  feat: persist GooseMode per-session via session DB (#7854)
  feat(otel): propagate session.id to spans and log records (#7490)
  fix(test): add env_lock to is_openai_reasoning_model tests (#7917)
  fix(acp): pass session_id when loading extensions so skills are discovered (#7868)
  updated canonical models (#7920)
  feat(autovisualiser): Migrate the autovisualiser extension to MCP Apps  (#7852)
  fix: add tool_choice and parallel_tool_calls to chatgpt_codex provider (#7867)
  fix: tool confirmation handling for multiple requests (#7856)
  Remove dead OllamaSetup onboarding flow (#7861)
  fix: resolve tokio::sync::Mutex deadlock in recipe retry path (#7832)
  Upgrade Electron 40.6.0 → 41.0.0 (#7851)
  Only show up to 50 lines of source code (#7578)
  fix: stop writing without error when hitting broken pipe for goose session list (#7858)
  feat(acp): add session/set_mode handler (#7801)
  Keep messages in sync (#7850)
  More acp tools (#7843)
  fix: skip upgrade-insecure-requests CSP for external HTTP backends (#7714)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@lifeizhou-ap lifeizhou-ap lifeizhou-ap approved these changes

Assignees

@lifeizhou-ap lifeizhou-ap

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

External backend: UI actions fail with "Error: Failed to fetch" even though /config works

2 participants

@fresh3nough @lifeizhou-ap