Skip to content

http2 push, prevent secure schemes over insecure connections#21113

Closed
icing wants to merge 1 commit intocurl:masterfrom
icing:h2-push-restrictions
Closed

http2 push, prevent secure schemes over insecure connections#21113
icing wants to merge 1 commit intocurl:masterfrom
icing:h2-push-restrictions

Conversation

@icing
Copy link
Copy Markdown
Contributor

@icing icing commented Mar 27, 2026

When assembling the URL of a pushed resource over a not-secured connection, require the scheme to be known and not secure.

@icing
http2 push, prevent secure schemes over insecure connections
f619ee8 
When assembling the URL of a pushed resource over a not-secured
connection, require the scheme to be known and not secure.
@icing icing added the HTTP/2 label Mar 27, 2026
@github-actions github-actions bot added the HTTP label Mar 27, 2026
@bagder bagder closed this in 2e8c922 Mar 27, 2026
dkarpov1970 pushed a commit to dkarpov1970/curl that referenced this pull request Apr 7, 2026
@icing
http2: prevent secure schemes pushed over insecure connections
a85f1da 
When assembling the URL of a pushed resource over a not-secured
connection, require the scheme to be known and not secure.

Reported-by: xkilua on hackerone

Closes curl#21113
This was referenced Apr 15, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bagder bagder bagder approved these changes

Assignees

No one assigned

Labels

HTTP HTTP/2

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@icing @bagder