Conversation
> If this field appears within a "security.txt" file and the URI used to retrieve that file is not listed within any canonical fields, then the contents of the file SHOULD NOT be trusted. https://www.rfc-editor.org/rfc/rfc9116#name-canonical Close #40
spaze
force-pushed
the
spaze/validate-canonical
branch
from
83219d9 to
b30deb8
Compare
There was a problem hiding this comment.
Pull request overview
This pull request implements validation of the Canonical field according to RFC 9116, which states that if a security.txt file contains canonical fields, the URI used to retrieve the file should be listed within those canonical fields.
Key changes include:
- Added file location tracking to SecurityTxt objects
- Renamed
SecurityTxtSchemeNotHttpstoSecurityTxtFileLocationNotHttpsfor better clarity - Introduced
SecurityTxtCanonicalUriMismatchviolation when the file location doesn't match any canonical URIs - Added
CanonicalUriListedFieldValidatorto validate canonical URI consistency - Moved HTTPS scheme validation from fetcher to parser/SecurityTxt class
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/Validator/Validators/CanonicalUriListedFieldValidator.php | New validator that checks if file location matches canonical URIs |
| src/Validator/SecurityTxtValidator.php | Added CanonicalUriListedFieldValidator to the list of validators |
| src/Violations/SecurityTxtCanonicalUriMismatch.php | New violation for canonical URI mismatch with dynamic messaging |
| src/Violations/SecurityTxtFileLocationNotHttps.php | Renamed from SecurityTxtSchemeNotHttps for consistency |
| src/Violations/SecurityTxtFileLocationNotUri.php | New violation for invalid file location URIs |
| src/SecurityTxt.php | Added fileLocation property and methods; refactored setValue/setFieldValue methods |
| src/Parser/SecurityTxtParser.php | Updated parseString to accept optional fileLocation parameter |
| src/Json/SecurityTxtJson.php | Added fileLocation handling in JSON serialization/deserialization |
| src/Fetcher/SecurityTxtFetcher.php | Removed HTTPS validation (moved to SecurityTxt class) |
| tests/Validator/SecurityTxtValidatorTest.phpt | Added comprehensive tests for canonical URI validation scenarios |
| tests/SecurityTxtTest.phpt | Added tests for setFileLocation method |
| tests/Json/SecurityTxtJsonTest.phpt | Added tests for fileLocation JSON handling |
| tests/Check/*.phpt | Updated tests to use renamed SecurityTxtFileLocationNotHttps class |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
spaze
added a commit
to spaze/michalspacek.cz
that referenced
this pull request
Dec 10, 2025
That means that the request will always redirect `/.well-known/security.txt` to the "main site" (with `www`, or without). Because spaze/security-txt has introduced validation of the `Canonical` field in spaze/security-txt#44 and when it doesn't match, a warning is generated. Another option would be to add extra `Canonical` (e.g. with `www`) to the `security.txt` file, or to redirect directly in nginx, but that would mean having redirect rules, like is this domain used with or without `www`, in one more place. Let's see if this is a good idea.
spaze
added a commit
to spaze/michalspacek.cz
that referenced
this pull request
Dec 10, 2025
That means that the request will always redirect `/.well-known/security.txt` to the "main site" (with `www`, or without). Because spaze/security-txt has introduced validation of the `Canonical` field in spaze/security-txt#44 and when it doesn't match, a warning is generated. Another option would be to add extra `Canonical` (e.g. with `www`) to the `security.txt` file, or to redirect directly in nginx, but that would mean having redirect rules, like is this domain used with or without `www`, in one more place. Let's see if this is a good idea.
spaze
added a commit
to spaze/michalspacek.cz
that referenced
this pull request
Dec 10, 2025
That means that the request will always redirect `/.well-known/security.txt` to the "main site" (with `www`, or without). Because spaze/security-txt has introduced validation of the `Canonical` field in spaze/security-txt#44 and when it doesn't match, a warning is generated. Another option would be to add extra `Canonical` (e.g. with `www`) to the `security.txt` file, or to redirect directly in nginx, but that would mean having redirect rules, like is this domain used with or without `www`, in one more place. Let's see if this is a good idea.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://www.rfc-editor.org/rfc/rfc9116#name-canonical
Close #40