Skip to content

In MeasurementPolicy::from_file_or_url only allow HTTP on the loopback addresses #12

Open
#13
Open
In MeasurementPolicy::from_file_or_url only allow HTTP on the loopback addresses#12
#13
@0x416e746f6e

Description

@0x416e746f6e
0x416e746f6e
opened on Mar 30, 2026

MeasurementPolicy::from_file_or_url accepts HTTP (plain text) URLs for the measurement policy load.

This poses a danger of policy spoofing if it's retrieved from external source.

We should only allow HTTP on loopback connections (i.e. same host).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions