Require HTTPS for CDN requests (#15660)

charliermarsh · web-flow · commit 8473ecba1166 · 2025-09-03T13:32:12.000Z
## Summary

This should arguably enforce same-realm (as the API), but this is a good
guardrail for now.
diff --git a/crates/uv-auth/src/pyx.rs b/crates/uv-auth/src/pyx.rs
@@ -539,7 +539,7 @@ fn is_known_url(url: &Url, api: &DisplaySafeUrl, cdn: &str) -> bool {
     //
     // For example, if URL is on `files.astralhosted.com` and the CDN domain is
     // `astralhosted.com`, consider it known.
-    if matches_domain(url, cdn) {
+    if matches!(url.scheme(), "https") && matches_domain(url, cdn) {
         return true;
     }
 
@@ -603,6 +603,13 @@ mod tests {
             cdn_domain
         ));
 
+        // CDN on HTTP.
+        assert!(!is_known_url(
+            &Url::parse("http://astralhosted.com/packages/").unwrap(),
+            &api_url,
+            cdn_domain
+        ));
+
         // Unknown domain.
         assert!(!is_known_url(
             &Url::parse("https://pypi.org/simple/").unwrap(),
