fix(gateway): land openclaw#39064 from @Narcooo

steipete · Narcooo · steipete · commit 2f59a3cff341 · 2026-03-07T18:52:42.000Z
Co-authored-by: Narcooo &lt;Narcooo@users.noreply.github.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -247,6 +247,7 @@ Docs: https://docs.openclaw.ai
 - Discord/native slash command auth: honor `commands.allowFrom.discord` (and `commands.allowFrom["*"]`) in guild slash-command pre-dispatch authorization so allowlisted senders are no longer incorrectly rejected as unauthorized. (#38794) Thanks @jskoiz and @thewilloftheshadow.
 - Outbound/message target normalization: ignore empty legacy `to`/`channelId` fields when explicit `target` is provided so valid target-based sends no longer fail legacy-param validation; includes regression coverage. (#38944) Thanks @Narcooo.
 - Models/auth token prompts: guard cancelled manual token prompts so `Symbol(clack:cancel)` values cannot be persisted into auth profiles; adds regression coverage for cancelled `models auth paste-token`. (#38951) Thanks @MumuTW.
+- Gateway/loopback announce URLs: treat `http://` and `https://` aliases with the same loopback/private-network policy as websocket URLs so loopback cron announce delivery no longer fails secure URL validation. (#39064) Thanks @Narcooo.
 
 ## 2026.3.2
 
diff --git a/src/gateway/net.test.ts b/src/gateway/net.test.ts
@@ -439,8 +439,10 @@ describe("isSecureWebSocketUrl", () => {
       // invalid URLs
       { input: "not-a-url", expected: false },
       { input: "", expected: false },
-      { input: "http://127.0.0.1:18789", expected: false },
-      { input: "https://127.0.0.1:18789", expected: false },
+      { input: "http://127.0.0.1:18789", expected: true },
+      { input: "https://127.0.0.1:18789", expected: true },
+      { input: "https://remote.example.com:18789", expected: true },
+      { input: "http://remote.example.com:18789", expected: false },
     ] as const;
 
     for (const testCase of cases) {
@@ -451,6 +453,7 @@ describe("isSecureWebSocketUrl", () => {
   it("allows private ws:// only when opt-in is enabled", () => {
     const allowedWhenOptedIn = [
       "ws://10.0.0.5:18789",
+      "http://10.0.0.5:18789",
       "ws://172.16.0.1:18789",
       "ws://192.168.1.100:18789",
       "ws://100.64.0.1:18789",
diff --git a/src/gateway/net.ts b/src/gateway/net.ts
@@ -421,11 +421,17 @@ export function isSecureWebSocketUrl(
     return false;
   }
 
-  if (parsed.protocol === "wss:") {
+  // Node's ws client accepts http(s) URLs and normalizes them to ws(s).
+  // Treat those aliases the same way here so loopback cron announce delivery
+  // and TLS-backed https endpoints follow the same security policy.
+  const protocol =
+    parsed.protocol === "https:" ? "wss:" : parsed.protocol === "http:" ? "ws:" : parsed.protocol;
+
+  if (protocol === "wss:") {
     return true;
   }
 
-  if (parsed.protocol !== "ws:") {
+  if (protocol !== "ws:") {
     return false;
   }
 

Original file line number	Diff line number	Diff line change
`@@ -421,11 +421,17 @@ export function isSecureWebSocketUrl(`
`421`	`421`	`return false;`
`422`	`422`	`}`
`423`	`423`
`424`		`- if (parsed.protocol === "wss:") {`
	`424`	`+ // Node's ws client accepts http(s) URLs and normalizes them to ws(s).`
	`425`	`+ // Treat those aliases the same way here so loopback cron announce delivery`
	`426`	`+ // and TLS-backed https endpoints follow the same security policy.`
	`427`	`+ const protocol =`
	`428`	`+ parsed.protocol === "https:" ? "wss:" : parsed.protocol === "http:" ? "ws:" : parsed.protocol;`
	`429`	`+`
	`430`	`+ if (protocol === "wss:") {`
`425`	`431`	`return true;`
`426`	`432`	`}`
`427`	`433`
`428`		`- if (parsed.protocol !== "ws:") {`
	`434`	`+ if (protocol !== "ws:") {`
`429`	`435`	`return false;`
`430`	`436`	`}`
`431`	`437`