secure origin frame support by forcing hostname verification against the certificate

2025-08-10 00:01:27 -04:00 · 2019-12-14 17:17:08 +00:00 · 2019-12-14 17:17:08 +00:00 · 9d6f5413ab
commit 9d6f5413ab
parent e6ec9cb43e
1 changed files with 10 additions and 1 deletions
--- a/lib/httpx/connection.rb
+++ b/lib/httpx/connection.rb
@ -80,7 +80,16 @@ module HTTPX
    def match?(uri, options)
      return false if @state == :closing || @state == :closed

-      (@origins.include?(uri.origin) || match_altsvcs?(uri)) && @options == options
+      (
+        (
+          @origins.include?(uri.origin) &&
+          # if there is more than one origin to match, it means that this connection
+          # was the result of coalescing. To prevent blind trust in the case where the
+          # origin came from an ORIGIN frame, we're going to verify the hostname with the
+          # SSL certificate
+          (@origins.size == 1 || @origin == uri.origin || @io.verify_hostname(uri.host))
+        ) || match_altsvcs?(uri)
+      ) && @options == options
    end

    def mergeable?(connection)