Skip to content

chore: stricter referrer check per rfc9700#2479

Open
staaldraad wants to merge 3 commits intomasterfrom
chore/prodsec-89
Open

chore: stricter referrer check per rfc9700#2479
staaldraad wants to merge 3 commits intomasterfrom
chore/prodsec-89

Conversation

@staaldraad
Copy link
Copy Markdown
Member

@staaldraad staaldraad commented Apr 13, 2026

What kind of change does this PR introduce?

chore

What is the current behavior?

only the hostname is compared in the referrer check

What is the new behavior?

validates that the scheme and port also match

Additional context

Follows the rfc by having an exception for localhost

@staaldraad
chore: rfc9700 strict apply
8974543 
RFC9700 calls for strict URL validation, not just hostname:

This means the authorization server
   MUST ensure that the two URIs are equal; see Section 6.2.1 of
   [RFC3986], Simple String Comparison, for details.  The only exception
   is native apps using a localhost URI: In this case, the authorization
   server MUST allow variable port numbers as described in Section 7.3
   of [RFC8252].
@staaldraad
chore: add localhost exception
396f007
@staaldraad staaldraad requested a review from a team as a code owner April 13, 2026 11:18
@blacksmith-sh

This comment has been minimized.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@staaldraad