Skip to content

url same origin tests#21328

Closed
icing wants to merge 7 commits into
curl:masterfrom
icing:url-same-origin
Closed

url same origin tests#21328
icing wants to merge 7 commits into
curl:masterfrom
icing:url-same-origin

Conversation

@icing
Copy link
Copy Markdown
Contributor

@icing icing commented Apr 15, 2026

Add new internal curl_url_same_origin() to check if a href has the same origin as a base URL. Add test cases in test1675 and use this in http2 push handling.

@github-actions github-actions Bot added the tests label Apr 15, 2026
icing added 3 commits April 15, 2026 11:04
@icing
url same origin tests
bf987f1 
Add new internal `curl_url_same_origin()` to check if
a href has the same origin as a base URL. Add test cases
in test1675 and use this in http2 push handling.
@icing
fix name for internal use Curl_url_same_origin(), fix unittest alloc …
eaeb651 
…failure handling
@icing
clarify param names for clang-tidy
5b2caa3
@icing icing force-pushed the url-same-origin branch from 0b3f21b to 5b2caa3 Compare April 15, 2026 09:04
@icing icing mentioned this pull request Apr 15, 2026
Closed
@Hybirdss
Copy link
Copy Markdown

Hybirdss commented Apr 15, 2026

Tested the PoC from #21325 against this branch — push is rejected (push_count=0, no file:// URL in the callback; master still reproduces). Same-origin check is a nicer fix than just mirroring the #21113 guard. Thanks for picking this up.

@icing icing requested a review from bagder April 15, 2026 11:48
@bagder bagder requested a review from Copilot April 15, 2026 13:18
Copilot AI reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an internal same-origin check for URLs and applies it to HTTP/2 server push handling to restrict PUSH_PROMISE resources to the same origin as the initiating request, with accompanying unit coverage.

Changes:

  • Introduce Curl_url_same_origin() in the URL API internals.
  • Use same-origin validation in HTTP/2 PUSH_PROMISE URL construction.
  • Add unit tests in unit1675 and update singleuse.pl allowlist.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
lib/urlapi.c Adds Curl_url_same_origin() implementation.
lib/urlapi-int.h Exposes Curl_url_same_origin() for internal callers.
lib/http2.c Enforces same-origin requirement for pushed resources when forming the transfer URL.
tests/unit/unit1675.c Adds unit test cases covering same-origin matching behavior.
scripts/singleuse.pl Attempts to allowlist the new internal symbol for single-use scanning.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tests/unit/unit1675.c
Comment thread tests/unit/unit1675.c
Comment thread scripts/singleuse.pl Outdated
@icing
Copy link
Copy Markdown
Contributor Author

icing commented Apr 16, 2026

working on making test_05_09 more reliable here: #21337

@bagder bagder closed this in 32a513e Apr 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bagder bagder bagder approved these changes

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

tests

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@icing @Hybirdss @bagder