Struct SsrfPolicy 

pub struct SsrfPolicy {
    pub reject_ip_literals: bool,
    pub allow_http: bool,
    pub allow_loopback_resolved: bool,
}

SSRF policy applied to outbound HTTP requests.

Fields

reject_ip_literals: bool

If true, reject IP literals in the URL (forces DNS resolution).

allow_http: bool

If false, only https:// URLs are accepted. Default false.

allow_loopback_resolved: bool

When true, permit IPv4 127.0.0.0/8 and IPv6 ::1 (loopback) across Self::check_ip / Self::check_resolved_ip / [Self::pin_resolved_ip]. All other forbidden ranges (RFC 1918, link-local / IMDS, ULA, CGNAT, multicast, …) still apply. Default false.

Intended for test harnesses that resolve did:web:localhost… against a self-signed in-process HTTPS server bound to 127.0.0.1. Production callers MUST keep this false — opening loopback turns the resolver into an SSRF vector against process-internal listeners (RFC-ACDP-0008 §4.8).

Implementations

impl SsrfPolicy

pub fn check_url(&self, url: &str) -> Result<(), AcdpError>

Validate a URL string (scheme + host) before issuing a request.

Back-compat wrapper over Self::classify_url: a rejection maps to AcdpError::SchemaViolation with the same detail message callers have always seen.

pub fn classify_url(&self, url: &str) -> Result<(), SsrfRejection>

Validate a URL string, returning a stable SsrfRejection (reason code + detail) on failure.

Checks scheme (HTTPS-only unless allow_http), IP-literal rejection, per-IP range filtering for literal hosts, and hostname length. Prefer this over Self::check_url when the caller needs to branch on why the URL was rejected (e.g. a language binding mapping to a typed exception).

pub fn check_resolved_ip(&self, ip: IpAddr) -> Result<(), AcdpError>

Validate an already-resolved IpAddr — useful when DNS resolution is performed externally and the caller wants to filter pre-connect. Respects Self::allow_loopback_resolved.

pub fn check_ip(&self, ip: IpAddr) -> Result<(), AcdpError>

Range filter for a single IpAddr, respecting the policy’s Self::allow_loopback_resolved flag.

Back-compat wrapper over Self::classify_ip.

pub fn classify_ip(&self, ip: IpAddr) -> Result<(), SsrfRejection>

Range filter for a single IpAddr, returning a stable SsrfRejection (reason code + detail) when the address falls in a forbidden range. Respects Self::allow_loopback_resolved.

pub fn check_redirect_authority( &self, original_url: &Url, redirect_url: &str, ) -> Result<(), AcdpError>

Per §7.5: a redirect is permitted only if it stays within the same fetch authority as the originating request — identical scheme, host, and effective port (RFC-ACDP-0008 §4.8: “host + port”).

pub fn classify_redirect_authority( &self, original_url: &Url, redirect_url: &str, ) -> Result<(), SsrfRejection>

Same-authority redirect check returning a stable SsrfRejection. See Self::check_redirect_authority.

pub fn classify_redirect( &self, from_url: &str, to_url: &str, ) -> Result<(), SsrfRejection>

String-in/string-in convenience over Self::classify_redirect_authority for FFI callers that hold both endpoints as strings (no url::Url on the boundary). Parses from_url as the origin authority, then applies the same scheme + host + effective-port equality.

Trait Implementations

impl Clone for SsrfPolicy

fn clone(&self) -> SsrfPolicy

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for SsrfPolicy

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for SsrfPolicy

fn default() -> Self

Returns the “default value” for a type.