Skip to content

[fix] Display wildcard addresses as localhost in URLs#13720

Merged
sfc-gh-nbellante merged 3 commits intodevelopfrom
fix-wildcard-display-address
Jan 28, 2026
Merged

[fix] Display wildcard addresses as localhost in URLs#13720
sfc-gh-nbellante merged 3 commits intodevelopfrom
fix-wildcard-display-address

Conversation

@sfc-gh-nbellante
Copy link
Copy Markdown
Contributor

@sfc-gh-nbellante sfc-gh-nbellante commented Jan 27, 2026
edited
Loading

Describe your changes

Improved URL display for wildcard IP addresses. When using wildcard addresses like "0.0.0.0" or "::" for the server, these are now displayed as "localhost" in the browser URL and console output. This makes the URLs more user-friendly and avoids confusion, as wildcard addresses aren't directly accessible in browsers on all platforms.

This closes #13712

Testing Plan

  • Unit Tests (Python): Added comprehensive tests to verify wildcard addresses are properly translated to "localhost" for display purposes
    • Added tests for both IPv4 (0.0.0.0) and IPv6 (::) wildcard addresses
    • Added tests to verify non-wildcard addresses remain unchanged
    • Added tests to verify the URLs displayed in the console use the translated addresses

Contribution License Agreement

By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.

@sfc-gh-nbellante
Fix displayed URL showing 0.0.0.0 instead of localhost
140b96c 
When running Streamlit with --server.address=0.0.0.0, the displayed
URL was http://0.0.0.0:8501 which doesn't work on Windows and is
generally not useful since 0.0.0.0 is a wildcard address meaning
"bind to all interfaces" - not a navigable address.

Added get_display_address() utility that translates wildcard addresses
(0.0.0.0, ::) to localhost for display/browser purposes. The actual
server binding remains unchanged.

Fixes #13712
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jan 27, 2026
edited
Loading

✅ PR preview is ready!

Name Link
📦 Wheel file https://core-previews.s3-us-west-2.amazonaws.com/pr-13720/streamlit-1.53.1-py3-none-any.whl
📦 @streamlit/component-v2-lib Download from artifacts
🕹️ Preview app pr-13720.streamlit.app (☁️ Deploy here if not accessible)

@sfc-gh-nbellante Graphite App
Copy link
Copy Markdown
Contributor Author

sfc-gh-nbellante commented Jan 27, 2026

This stack of pull requests is managed by Graphite. Learn more about stacking.

@snyk-io
Copy link
Copy Markdown
Contributor

snyk-io bot commented Jan 27, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@sfc-gh-nbellante sfc-gh-nbellante changed the title Fix displayed URL showing 0.0.0.0 instead of localhost [fix] Display wildcard addresses as localhost in URLs Jan 27, 2026
@sfc-gh-nbellante sfc-gh-nbellante added security-assessment-completed change:bugfix PR contains bug fix implementation impact:users PR changes affect end users ai-review If applied to PR or issue will run AI review workflow labels Jan 27, 2026
@github-actions github-actions bot removed the ai-review If applied to PR or issue will run AI review workflow label Jan 27, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jan 27, 2026

Summary

This PR fixes an issue where wildcard addresses (0.0.0.0 for IPv4 and :: for IPv6) were displayed as-is in the URL shown to users when starting a Streamlit app. These addresses are not valid browser URLs on all platforms (notably Windows). The fix translates these wildcard addresses to localhost for display purposes while keeping the actual server binding unchanged.

Changes:

  • Added get_display_address() utility function in server_util.py that translates 0.0.0.0 and :: to localhost
  • Updated _print_url() in bootstrap.py to use the new function for console URL display
  • Updated maybe_open_browser() in bootstrap.py to use the new function when auto-opening the browser

Code Quality

The implementation is clean and follows existing patterns in the codebase:

  1. get_display_address() function (lib/streamlit/web/server/server_util.py:140-159):

    • Well-documented with numpy-style docstring
    • Simple and focused - does one thing well
    • Uses a set for O(1) lookup of wildcard addresses
    • Correctly includes # noqa: S104 to suppress Bandit security warnings for the 0.0.0.0 literal

  2. Usage in bootstrap.py:

    • Line 142: Correctly applies to maybe_open_browser() ensuring the browser opens with a valid URL
    • Lines 251-255: Correctly applies to _print_url() ensuring the console shows a valid URL

  3. Code placement: The utility function is appropriately placed in server_util.py alongside related URL functions like get_url().

No issues identified.

Test Coverage

The test coverage is comprehensive and well-structured:

  1. Unit tests for get_display_address() (lib/tests/streamlit/web/server/server_util_test.py:150-167):

    • Parameterized test covering both wildcards (0.0.0.0, ::) and non-wildcards (127.0.0.1, localhost, 192.168.1.100, myhost.local)
    • Includes a negative/regression test (test_get_display_address_does_not_modify_non_wildcards) verifying non-wildcards are returned unchanged

  2. Integration tests for _print_url() (lib/tests/streamlit/web/bootstrap_test.py:296-342):

    • test_print_urls_with_wildcard_address: Tests IPv4 wildcard 0.0.0.0 is displayed as localhost
    • test_print_urls_with_ipv6_wildcard: Tests IPv6 wildcard :: is displayed as localhost
    • Both tests include negative assertions (verifying raw addresses don't appear in output)

Observation: There are no tests specifically for the maybe_open_browser() function's new behavior. However, this is acceptable because:

  • The function is already tested indirectly through _on_server_start
  • The core logic is in get_display_address() which is thoroughly tested
  • Adding browser-specific tests would require complex mocking with minimal additional coverage value

Backwards Compatibility

No breaking changes. This PR only affects the display/UI layer:

  • The actual server binding address is unchanged - servers will still bind to 0.0.0.0 or :: when configured
  • Only the URL shown to users (console output and browser auto-open) is modified
  • Users who explicitly set browser.serverAddress are unaffected (that takes precedence)
  • Unix socket configurations are unaffected

Security & Risk

No security concerns identified.

  • The change is purely cosmetic/UX focused
  • No new attack vectors introduced
  • The # noqa: S104 comment appropriately suppresses Bandit's false positive for the hardcoded 0.0.0.0 string (which is being checked, not used as a binding address)

Recommendations

The PR is well-implemented with no required changes. Minor observations:

  1. Optional enhancement: The UvicornRunner class has a TODO at line 461 (# TODO(lukasmasuch): Print the URL with the selected port.). When this is implemented in the future, it should also use get_display_address() for consistency. This is out of scope for this PR.

  2. Good practice noted: The test cases include both positive assertions (correct translation happens) and negative assertions (raw addresses don't appear), which aligns with the testing guidelines.

Verdict

APPROVED: The PR correctly fixes the URL display issue for wildcard addresses with clean implementation, comprehensive test coverage, and no backwards compatibility concerns.

This is an automated AI review using opus-4.5-thinking. Please verify the feedback and use your judgment.

@sfc-gh-nbellante sfc-gh-nbellante marked this pull request as ready for review January 27, 2026 16:50
Copilot AI review requested due to automatic review settings January 27, 2026 16:50
Copilot AI reviewed Jan 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes issue #13712 where wildcard IP addresses (0.0.0.0 and ::) displayed in URLs don't work in browsers on Windows. The solution translates wildcard addresses to "localhost" for display purposes while keeping the actual server binding unchanged.

Changes:

  • Added a new utility function get_display_address() to translate wildcard addresses to "localhost"
  • Updated URL display logic in bootstrap.py to use the translated addresses for both console output and browser opening
  • Added comprehensive unit tests for the new functionality

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
lib/streamlit/web/server/server_util.py Added get_display_address() function to translate wildcard addresses (0.0.0.0, ::) to "localhost"
lib/streamlit/web/bootstrap.py Updated URL printing and browser opening logic to use display-friendly addresses
lib/tests/streamlit/web/server/server_util_test.py Added parameterized tests for get_display_address() function
lib/tests/streamlit/web/bootstrap_test.py Added tests verifying wildcard addresses are displayed as localhost in URLs

@sfc-gh-nbellante sfc-gh-nbellante enabled auto-merge (squash) January 27, 2026 18:39
@lukasmasuch
Copy link
Copy Markdown
Collaborator

lukasmasuch commented Jan 27, 2026
edited
Loading

If you start streamlit without specifing an address, it will use 0.0.0.0 and show a local and network URL:

Local URL: http://localhost:8501
Network URL: http://192.168.1.x:8501

We might want to do the same in case of these wildcards to indicate that the server is also exposed on the given IP.

@sfc-gh-nbellante
Show Network URL for wildcard addresses (0.0.0.0, ::)
2e11ada 
When server.address is explicitly set to a wildcard address,
show both Local URL and Network URL instead of just a single URL.
This makes the output consistent with the default behavior where
no address is specified.
lukasmasuch
lukasmasuch approved these changes Jan 28, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@lukasmasuch lukasmasuch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@sfc-gh-nbellante sfc-gh-nbellante merged commit 3d9bca8 into develop Jan 28, 2026
42 checks passed
@sfc-gh-nbellante sfc-gh-nbellante deleted the fix-wildcard-display-address branch January 28, 2026 17:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lukasmasuch lukasmasuch lukasmasuch approved these changes

Assignees

No one assigned

Labels

change:bugfix PR contains bug fix implementation impact:users PR changes affect end users

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

displayed url with binding address 0.0.0.0 fails on Windows

3 participants

@sfc-gh-nbellante @lukasmasuch