Closed
Conversation
Introduce `Curl_xfer_is_secure(data)` that returns TRUE for transfers that happen(ed) over a end-to-end secured connection, e.g. SSL. Add test1586 to verify behaviour for http: transfers via a https: proxy.
bagder
approved these changes
Mar 17, 2026
There was a problem hiding this comment.
Pull request overview
This PR introduces an internal helper to consistently decide whether a transfer is end-to-end secure (based on the target scheme/TLS state), and uses it to gate security-sensitive behaviors (HSTS/Alt-Svc, channel binding, STARTTLS decisions). It also adds a regression test for the key scenario of http:// targets fetched via an https:// proxy.
Changes:
- Add
Curl_xfer_is_secure(data)and expose it vialib/transfer.h. - Switch several call sites (HTTP HSTS/Alt-Svc, HTTP Negotiate CBT, IMAP STARTTLS decision, HTTP/2 pseudo
:scheme) to use the new helper. - Add test1586 and wire it into the test suite to verify HSTS is ignored for
http://over an HTTPS proxy.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/data/test1586 | New test ensuring HSTS headers are ignored for http:// URLs when using an https:// proxy. |
| tests/data/Makefile.am | Adds test1586 to the autotools test data list. |
| lib/transfer.h | Declares the new Curl_xfer_is_secure() helper. |
| lib/transfer.c | Implements Curl_xfer_is_secure() based on connection scheme and TLS state. |
| lib/imap.c | Uses the helper when deciding whether to initiate STARTTLS. |
| lib/http_negotiate.c | Uses the helper to decide whether to collect TLS channel binding data for Negotiate auth. |
| lib/http.c | Uses the helper to gate HSTS/Alt-Svc processing and to derive HTTP/2 pseudo :scheme. |
Comments suppressed due to low confidence (1)
lib/http_negotiate.c:132
- In proxy Negotiate auth mode (
proxy == true),Curl_xfer_is_secure(data)can be FALSE for anhttp://URL even when the proxy connection itself is TLS-secured (eg-x https://...). That would skip CBT/channel-binding generation for proxy authentication, which should be based on the security of the authenticated peer (the proxy), not the target URL scheme. Consider usingCurl_conn_is_ssl(conn, FIRSTSOCKET)whenproxyis true, andCurl_xfer_is_secure(data)only for origin-server authentication.
curlx_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1);
if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) {
result = Curl_ssl_get_channel_binding(data, FIRSTSOCKET,
&neg_ctx->channel_binding_data);
if(result) {
http_auth_nego_reset(conn, neg_ctx, proxy);
return result;
}
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
vszakats
reviewed
Mar 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduce
Curl_xfer_is_secure(data)that returns TRUE for transfers that happen(ed) over a end-to-end secured connection, e.g. SSL.Add test1586 to verify behaviour for http: transfers via a https: proxy.