go/src/net/http/client_test.go, branch main

net/http: run tests for HTTP/3 where it can already pass

2026-04-10T21:18:34Z

By default, our test harnesses (run and runSynctest) now use http3Mode, in addition to http1Mode and http2Mode, when no []testMode were explicitly defined for a given test. Tests that cannot currently pass for HTTP/3 have been modified to use http3SkippedMode, which serves as a convenient alias for the old default of []testMode{http1Mode, http2Mode}. We changed the default mode and defined http3SkippedMode so we have a clear list of TODOs in terms of how much changes are still needed before our HTTP/3 implementation reaches basic feature parity with HTTP/1 and HTTP/2. For #70914 Change-Id: I719d5d66399a51f7c3d96180ebed9b606a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/765320 Reviewed-by: Damien Neil LUCI-TryBot-Result: Go LUCI Reviewed-by: Nicholas Husin

net/http: fix data race in TestClientRedirectUseResponse

2026-04-10T21:18:22Z

There is a data race between the assignment of ts, and the access of ts.URL in the server handler. The data race seems to be more common when running the test against our HTTP/3 implementation. Fix the issue by deriving ts.URL via the given Request in the server handler. For #70914 Change-Id: Ic1924bf2c814517bae6b2e999d5f7efa6a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/765443 LUCI-TryBot-Result: Go LUCI Reviewed-by: Nicholas Husin Reviewed-by: Damien Neil

net/http: use net/http/internal/http2 rather than h2_bundle.go

2026-03-12T15:13:20Z

Rework net/http/internal/http2 to use internally-defined types rather than net/http types (to avoid an import cycle). Remove h2_bundle.go, and replace it with calls into net/http/internal/http2 instead. For #67810 Change-Id: I56a1b28dbd0e302ab15a30f819dd46256a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/751304 Reviewed-by: Nicholas Husin LUCI-TryBot-Result: Go LUCI Auto-Submit: Damien Neil Reviewed-by: Nicholas Husin

net/http: fix WaitGroup race in TestTransportNoReuseAfterEarlyResponse

2026-02-06T22:53:30Z

The remaining race reported in go.dev/issue/66519 is that it's possible for copying.Wait to start running before all copying.Add calls complete. It happens infrequently as is, but padding both Wait and Add calls with a 100 ms sleep makes it highly reproducible. Arranging the Add call to happen before responding "foo" to the POST request should be enough to guarantee that Wait doesn't start running until all Add calls have already happened. While here, delete a blank line that gets more in the way of reading error handling code than it helps. For #64252. Fixes #66519 (optimistically). Change-Id: Ibf264d8cc5ffc2495e8ae8e66a15591310c65e71 Reviewed-on: https://go-review.googlesource.com/c/go/+/739060 Reviewed-by: Dmitri Shuralyov LUCI-TryBot-Result: Go LUCI Reviewed-by: Damien Neil Auto-Submit: Dmitri Shuralyov

net/http: strip request body headers on POST to GET redirects

2025-10-10T21:39:53Z

According to WHATWG Fetch, when the body is dropped in a redirect, headers that describe the body should also be dropped. https://fetch.spec.whatwg.org/#http-redirect-fetch Fixes #57273 Change-Id: I84598f69608e95c1b556ea0ce5953ed43bf2d824 Reviewed-on: https://go-review.googlesource.com/c/go/+/710395 Auto-Submit: Damien Neil Reviewed-by: Michael Pratt Reviewed-by: Damien Neil LUCI-TryBot-Result: Go LUCI

net/http: set cookie host to Request.Host when available

2025-10-10T21:38:20Z

When both Request.URL and Request.Host are set, the host in URL is used for connecting at the transport level, while Host is used for the request host line. Cookies should be set for the request, not the underlying connection destination. Fixes #38988 Change-Id: I09053b87ccac67081f6038d205837d9763701526 Reviewed-on: https://go-review.googlesource.com/c/go/+/710335 Reviewed-by: Damien Neil Auto-Submit: Damien Neil Reviewed-by: Michael Pratt LUCI-TryBot-Result: Go LUCI

all: delete more windows/arm remnants

2025-08-29T17:57:46Z

Updates #71671 Change-Id: I663c4a659ad45bcebfc03d6eb4783e5f5d3afa0d Reviewed-on: https://go-review.googlesource.com/c/go/+/699176 Auto-Submit: Tobias Klauser Reviewed-by: Quim Muntal Reviewed-by: Cherry Mui Reviewed-by: Carlos Amedee LUCI-TryBot-Result: Go LUCI

net/http: strip sensitive proxy headers from redirect requests

2025-06-05T18:44:48Z

Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain. https://fetch.spec.whatwg.org/#authentication-entries Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. For #73816 Fixes CVE-2025-4673 Change-Id: Ied7b641f6531f1d340ccba3c636d3c30dd5547d9 Reviewed-on: https://go-review.googlesource.com/c/go/+/679257 LUCI-TryBot-Result: Go LUCI Reviewed-by: Michael Knyszek

net/http: upon http redirect, copy Request.GetBody in new request

2025-05-20T15:40:50Z

This enable http.RoundTripper implementation to retry POST request (let's say after a 500) after a 307/308 redirect. Fixes #73439 Change-Id: I4365ff58b012c7f0d60e0317a08c98b1d48f657e Reviewed-on: https://go-review.googlesource.com/c/go/+/666735 Reviewed-by: Sean Liao Auto-Submit: Damien Neil LUCI-TryBot-Result: Go LUCI Reviewed-by: Dmitri Shuralyov Reviewed-by: Damien Neil

net/http: test intended behavior in TestClientInsecureTransport

2025-04-15T22:55:28Z

This test wasn't testing the HTTP/2 case, because it didn't set NextProtos in the tls.Config. Set "Connection: close" on requests to make sure each request gets a new connection. Change-Id: I1ef470e7433a602ce88da7bd7eeec502687ea857 Reviewed-on: https://go-review.googlesource.com/c/go/+/655676 LUCI-TryBot-Result: Go LUCI Reviewed-by: Sean Liao Auto-Submit: Damien Neil Reviewed-by: Michael Pratt