I noticed that the URL is validated here. The main logic is to retrieve netloc for blacklist matching. However, it's worth noting that netloc can actually contain userinfo; for example, http://a@blacklist.com can successfully request http://blacklist.com, but it can bypass the blacklist.
I noticed that the URL is validated here. The main logic is to retrieve netloc for blacklist matching. However, it's worth noting that netloc can actually contain userinfo; for example, http://a@blacklist.com can successfully request http://blacklist.com, but it can bypass the blacklist.