Skip to content

Fix user-visible mirror URL leaks#7

Open
hqhq1025 wants to merge 1 commit into
aiming-lab:mainfrom
hqhq1025:codex/fix-google-map-real-share-urls
Open

Fix user-visible mirror URL leaks#7
hqhq1025 wants to merge 1 commit into
aiming-lab:mainfrom
hqhq1025:codex/fix-google-map-real-share-urls

Conversation

@hqhq1025
Copy link
Copy Markdown

@hqhq1025 hqhq1025 commented May 13, 2026
edited
Loading

Summary

Fixes user-visible URL realism issues across WebHarbor mirror sites while preserving benchmark runtime localhost entry points.

Fixed surfaces:

  • Google Map place detail share links no longer expose http://localhost:40008/place/<slug>.
  • Google Map seeded place websites no longer use https://example.com/<slug> placeholders, with runtime fallback for existing packaged DB rows.
  • Booking and Allrecipes save/return forms no longer serialize absolute request.url mirror URLs into hidden next inputs.
  • Booking and Allrecipes next redirects now only allow root-relative paths.
  • BBC News article sharing no longer copies window.location.href; it copies the article source_url or a BBC fallback URL.
  • GitHub external-host recovery no longer redirects to fixed http://localhost:40006; it stays on the current host with a relative redirect.
  • Adds docs/url-realism-audit.md documenting the issue classes, intentional localhost/example.com matches, root causes, and regression rule.
  • Replaces the single-site check with scripts/check_url_realism.py for the known user-visible URL leak classes.

Root Cause

The mirrors mixed two URL roles:

  1. local benchmark runtime addresses, which are valid in tasks.jsonl and docs; and
  2. user-visible share/return/external-link surfaces, which should not expose local mirror hosts or placeholder domains.

Several templates and middleware reused local request URLs directly (request.url, window.location.href, or fixed localhost redirects), causing local mirror addresses to leak into UI or copied links.

Verification

  • python3 scripts/check_url_realism.py
  • python3 -m py_compile sites/allrecipes/app.py sites/booking/app.py sites/bbc_news/app.py sites/github/app.py sites/google_map/app.py sites/google_map/seed_data.py scripts/check_url_realism.py
  • Flask test-client checks:
    • Allrecipes authenticated recipe detail renders relative next values and rejects absolute next redirects.
    • Booking authenticated home page renders relative next values and rejects absolute next redirects.
    • BBC article page writes a real BBC share URL, not window.location.href or localhost.
    • GitHub external-host recovery with Host: github.com redirects to /microsoft/vscode?tab=readme, not http://localhost:40006/....
  • Google Map render check from previous pass:
    • /place/galleria-vittorio-emanuele renders https://www.google.com/maps/place/Galleria+Vittorio+Emanuele+II+Milan/ and does not leak localhost:40008 or example.com/galleria-vittorio-emanuele.

Fixes #13.

@hqhq1025 hqhq1025 force-pushed the codex/fix-google-map-real-share-urls branch from b4581ac to dd14164 Compare May 13, 2026 15:55
@hqhq1025 hqhq1025 changed the title Fix Google Map place share URLs Fix user-visible mirror URL leaks May 13, 2026
@Within-yao Within-yao mentioned this pull request May 13, 2026
Open
@hqhq1025 hqhq1025 mentioned this pull request May 14, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

User-visible mirror URL surfaces leak localhost or placeholder domains

1 participant

@hqhq1025