You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This PR adds a httpsOrLoopback boolean flag to the URL validator, implementing the OAuth 2.0 secure-redirect transport policy from RFC 8252 §7.3: when enabled, standard URLs must use https on any host or http restricted to localhost, 127.0.0.1, or [::1]; private-use scheme URIs remain exempt.
The loopback host list correctly uses [::1] (with brackets), matching PHP 8.x parse_url(…, PHP_URL_HOST) output for IPv6 literals; scheme and host comparisons are case-folded with strtolower.
The refactored $isPrivateUseSchemeURI pre-computation is logically equivalent to the prior inline condition and avoids calling isPrivateUseSchemeURI twice when both httpsOrLoopback and allowPrivateUseSchemes are active.
Test coverage spans happy-path (https, loopback http, private-use), rejection cases (routable http, lookalike hostnames, non-http(s) schemes, fragments), default-off behavior, and the additive interaction with allowedSchemes.
Confidence Score: 5/5
Safe to merge — the new flag is opt-in, defaults to false, and leaves all existing code paths untouched.
The change is additive and backward-compatible. The loopback host matching is correct (PHP 8.x parse_url returns [::1] with brackets), the $isPrivateUseSchemeURI refactor is logically equivalent to the prior inline condition, and the test suite covers the critical rejection and acceptance cases including the allowedSchemes interaction.
No files require special attention.
Important Files Changed
Filename
Overview
packages/validators/src/Validator/URL.php
Adds httpsOrLoopback constructor flag that enforces HTTPS or HTTP-on-loopback per RFC 8252 §7.3; logic is correct, loopback host list covers localhost/127.0.0.1/[::1], and the refactored $isPrivateUseSchemeURI pre-computation is logically equivalent to the prior inline condition.
packages/validators/tests/Validator/URLTest.php
Two new test methods cover the happy path (https, loopback http, private-use schemes), rejection cases (routable http, lookalike hostnames, non-http(s) schemes, fragments), default-off behavior, and the additive interaction with allowedSchemes.
packages/validators/CHANGELOG.md
New CHANGELOG file documents the 0.4.0 addition of httpsOrLoopback, the RFC 8252 motivation, and backward-compatibility guarantees.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds ability to only allow for HTTP for looback URLs - best way to enforce HTTP for URLs, unles during development.