Skip to content

feat: Restricted HTTP resolvers #1630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

feat: Restricted HTTP resolvers #1630

wants to merge 9 commits into from
+517 −13

Conversation

@ok-nick
Copy link
Contributor

@ok-nick ok-nick commented Nov 24, 2025
edited
Loading

Introduces a new RestrictedResolver struct to restrict an inner Sync/AsyncHttpResolver with the specified allowed list. For the SDK, this is used specifically with the core.allowed_network_hosts setting to constrain HTTP requests to a known list of allowed hosts.

The default behavior of the SDK is to wrap a Sync/AsyncGenericResolver with a RestrictedResolver using the core.allowed_network_hosts setting. Eventually HTTP resolvers and settings will be passed in directly as structs.

The behavior for core.allowed_network_hosts is defined as follows:

/// List of host patterns that are allowed for outbound network requests.
///
/// Each pattern may include:
/// - A scheme (e.g. `https://` or `http://`)
/// - A hostname, which may have a single leading wildcard (e.g. `*.contentauthenticity.org`)
///
/// Matching is case-insensitive. A wildcard pattern such as `*.contentauthenticity.org` matches
/// `sub.contentauthenticity.org`, but does not match `contentauthenticity.org` or `fakecontentauthenticity.org`.
/// If a scheme is present in the pattern, only URIs using the same scheme are considered a match. If the scheme
/// is omitted, any scheme is allowed as long as the host matches.
///
/// The behavior is as follows:
/// - `None` (default) no filtering enabled.
/// - `Some(vec)` where `vec` is empty, all outbound traffic is blocked.
/// - `Some(vec)` with at least one pattern, filtering enabled for only those patterns.
///
/// These settings are consumed by [`RestrictedResolver`].
///
/// For information on when the SDK might perform an outbound network request, see "[When do outbound network requests occur?]"
///
/// [When do outbound network requests occur?]: crate::http#when-do-outbound-network-requests-occur
/// [`HostPattern`]: crate::http::restricted::HostPattern
/// [`RestrictedResolver`]: crate::http::restricted::RestrictedResolver

TODO: test suite

@ok-nick ok-nick marked this pull request as ready for review November 25, 2025 18:11
@codspeed-hq
Copy link

codspeed-hq bot commented Nov 25, 2025
edited
Loading

CodSpeed Performance Report

Merging #1630 will not alter performance

Comparing ok-nick/restricted-http (d44ecea) with main (352a968)

Summary

✅ 16 untouched
⏩ 2 skipped1

Footnotes

  1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

safe to test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ok-nick