Skip to content

Fix Referer header validation bypass via URL normalization#117

Merged
Yashb404 merged 4 commits into
feat/keys-freshfrom
copilot/sub-pr-116
Feb 11, 2026
Merged

Fix Referer header validation bypass via URL normalization#117
Yashb404 merged 4 commits into
feat/keys-freshfrom
copilot/sub-pr-116

Conversation

Copy link
Copy Markdown

Copilot AI commented Feb 11, 2026
edited
Loading

The Referer header whitelist used exact string matching, allowing trivial bypasses by appending query parameters or fragments. An attacker could access restricted embeds by visiting https://allowed-site.com/article?bypass=1 instead of the whitelisted https://allowed-site.com/article.

Changes

  • URL normalization function: Parses URLs and compares only scheme://host/path, stripping query parameters, fragments, and trailing slashes
  • Scheme restriction: Only http/https accepted; rejects file://, javascript:, data:, etc.
  • Host validation: Requires valid host, no empty host strings
  • Applied to all whitelist operations: Referer validation, whitelist add/remove

Example

// Before: exact match required
"https://medium.com/@user/article" == "https://medium.com/@user/article?bypass=1"  // false ❌

// After: normalized comparison
normalize_url("https://medium.com/@user/article?bypass=1")  // "https://medium.com/@user/article" ✓
normalize_url("https://medium.com/@user/article#fragment") // "https://medium.com/@user/article" ✓
normalize_url("file:///etc/passwd")                         // None (rejected) ✓

Logging added for failed normalization attempts. Error messages clarify rejection reasons.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Feb 11, 2026
Merged
Copilot AI and others added 3 commits February 11, 2026 04:38
@Yashb404
Implement URL normalization for Referer header validation to prevent …
3c3c96d 
…security bypasses

Co-authored-by: Yashb404 <139128977+Yashb404@users.noreply.github.com>
@Yashb404
Enhance URL normalization security: restrict to http/https, require v…
1f36148 
…alid hosts

Co-authored-by: Yashb404 <139128977+Yashb404@users.noreply.github.com>
@Yashb404
Add logging and improve error messages for URL validation
ad406be 
Co-authored-by: Yashb404 <139128977+Yashb404@users.noreply.github.com>
Copilot AI changed the title [WIP] Update secure embed authorization implementation based on feedback Fix Referer header validation bypass via URL normalization Feb 11, 2026
Copilot AI requested a review from Yashb404 February 11, 2026 04:45
@Yashb404 Yashb404 marked this pull request as ready for review February 11, 2026 04:48
@Yashb404 Yashb404 merged commit 4e25442 into feat/keys-fresh Feb 11, 2026
@Yashb404 Yashb404 deleted the copilot/sub-pr-116 branch February 11, 2026 04:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Yashb404 Yashb404 Awaiting requested review from Yashb404

Assignees

@Yashb404 Yashb404

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Yashb404