Skip to content

feat: Restricted HTTP resolvers#1630

Merged
ok-nick merged 24 commits intomainfrom
ok-nick/restricted-http
Dec 4, 2025
Merged

feat: Restricted HTTP resolvers#1630
ok-nick merged 24 commits intomainfrom
ok-nick/restricted-http

Conversation

@ok-nick
Copy link
Contributor

@ok-nick ok-nick commented Nov 24, 2025
edited
Loading

Introduces a new RestrictedResolver struct to restrict an inner Sync/AsyncHttpResolver with the specified allowed list. For the SDK, this is used specifically with the core.allowed_network_hosts setting to constrain HTTP requests to a known list of allowed hosts.

The default behavior of the SDK is to wrap a Sync/AsyncGenericResolver with a RestrictedResolver using the core.allowed_network_hosts setting. Eventually HTTP resolvers and settings will be passed in directly as structs.

The behavior for core.allowed_network_hosts is defined as follows:

/// List of host patterns that are allowed for outbound network requests.
///
/// Each pattern may include:
/// - A scheme (e.g. `https://` or `http://`)
/// - A hostname, which may have a single leading wildcard (e.g. `*.contentauthenticity.org`)
///
/// Matching is case-insensitive. A wildcard pattern such as `*.contentauthenticity.org` matches
/// `sub.contentauthenticity.org`, but does not match `contentauthenticity.org` or `fakecontentauthenticity.org`.
/// If a scheme is present in the pattern, only URIs using the same scheme are considered a match. If the scheme
/// is omitted, any scheme is allowed as long as the host matches.
///
/// The behavior is as follows:
/// - `None` (default) no filtering enabled.
/// - `Some(vec)` where `vec` is empty, all outbound traffic is blocked.
/// - `Some(vec)` with at least one pattern, filtering enabled for only those patterns.
///
/// These settings are consumed by [`RestrictedResolver`].
///
/// For information on when the SDK might perform an outbound network request, see "[When do outbound network requests occur?]"
///
/// [When do outbound network requests occur?]: crate::http#when-do-outbound-network-requests-occur
/// [`HostPattern`]: crate::http::restricted::HostPattern
/// [`RestrictedResolver`]: crate::http::restricted::RestrictedResolver

@ok-nick ok-nick marked this pull request as ready for review November 25, 2025 18:11
@codspeed-hq
Copy link

codspeed-hq bot commented Nov 25, 2025
edited
Loading

CodSpeed Performance Report

Merging #1630 will not alter performance

Comparing ok-nick/restricted-http (bf2b76d) with main (70c4a1b)

Summary

✅ 16 untouched
⏩ 2 skipped1

Footnotes

  1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

scouten-adobe
scouten-adobe reviewed Dec 1, 2025
View reviewed changes
scouten-adobe
scouten-adobe reviewed Dec 1, 2025
View reviewed changes
scouten-adobe
scouten-adobe approved these changes Dec 1, 2025
View reviewed changes
Copy link
Collaborator

@scouten-adobe scouten-adobe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice work

@tmathern
Copy link
Contributor

tmathern commented Dec 2, 2025
edited
Loading

@scouten-adobe @ok-nick constrain HTTP requests to a known list of allowed hosts. How and who will manage that list?
Answer: User-provided list. So we should be good here, and no defaults are included either! 👍

tmathern
tmathern approved these changes Dec 2, 2025
View reviewed changes
@tmathern tmathern mentioned this pull request Dec 4, 2025
Open
@tmathern
Copy link
Contributor

tmathern commented Dec 4, 2025
edited
Loading

@ok-nick Maybe a suggestion because there is a lot of related work in-flight: Group your PRs into a feature branch (as you sit fit)? So they will be easier to integrate together (since it seems they'll be in the same release too), and maybe easier to maintain while in their rbanch(es). Wdyt?

#1630 and #1618 I could see released together. For the rest, developer's choice!

@ok-nick
Copy link
Contributor Author

ok-nick commented Dec 4, 2025

@tmathern I would keep #1618 separate because it is on hold until we have an API to pass settings to the reader/builder, unlike this PR.

@ok-nick ok-nick merged commit 36eeab8 into main Dec 4, 2025
24 checks passed
@ok-nick ok-nick deleted the ok-nick/restricted-http branch December 4, 2025 19:57
@caiopensrc caiopensrc mentioned this pull request Dec 4, 2025
Merged
gpeacock pushed a commit that referenced this pull request Dec 16, 2025
@ok-nick
feat: Restricted HTTP resolvers (#1630)
a52b195 
* feat: foundation for restricted http resolvers

* docs: document when outbound network requests occur

* fix: consolidate sync and async restricted resolver

* docs: document restricted resolvers and patterns

* test: add basic restricted resolver tests

* fix: optional allowed hosts and refined restricted tests

* fix: remove unused code WASM

* fix: simplify host pattern implementation

* docs: clarify why/how restrict networking and dynamic endpoints

* docs: mention remote signer settings invokes network requests

* docs: clarify `http` crate exports

* docs: clarify returns true

* docs: refer to settings

* docs: support for IP addresses and ports

* fix: add support for ports in allowed lists

* fix: support only scheme

* test: remove unrelated test image

* docs: add new setting to settings.md

* docs: add host pattern examples

* test: invalid pattern unit test

* docs: remove empty line

* docs: warn CAWG does not respect this setting yet
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tmathern tmathern tmathern approved these changes

@scouten-adobe scouten-adobe scouten-adobe approved these changes

@gpeacock gpeacock Awaiting requested review from gpeacock

Assignees

No one assigned

Labels

safe to test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ok-nick @tmathern @scouten-adobe

Comments