1.1.4

[playmiel]

add gzip and security correction

[Copilot]

Pull request overview

This pull request adds significant new security and functionality improvements to the ESPAsyncWebClient library, bumping the version to 1.1.4. The main focus is on enhancing security controls around cross-origin requests, adding optional gzip decompression support, and improving cookie domain handling.

Key Changes:

• Optional gzip decompression: Introduces transparent Content-Encoding: gzip response decoding when built with ASYNC_HTTP_ENABLE_GZIP_DECODE=1, using the vendored miniz library
• Enhanced security controls: Adds HTTP header validation to prevent injection attacks, tightens TLS configuration with a new ASYNC_HTTP_ALLOW_INSECURE_TLS build flag, and implements a new redirect header policy system
• Improved cookie handling: Replaces heuristic public-suffix filtering with an explicit allowlist mechanism for Domain= cookie attributes, defaulting to host-only cookies for better security

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/AsyncHttpClient.h	Adds RedirectHeaderPolicy enum, gzip decoder integration, cookie domain allowlist fields, and const-correctness for lock methods
src/AsyncHttpClient.cpp	Implements redirect header filtering, cookie domain validation with allowlist, gzip decode integration, TLS config sanitization, and null-safety checks
src/HttpRequest.cpp	Adds header validation and fixes percent-encoding to avoid sign-extension bugs with non-ASCII characters
src/HttpCommon.h	Adds header validation functions (isValidHttpHeaderName/Value), new error code GZIP_DECODE_FAILED, version bump, and security flags
src/GzipDecoder.h	New class for streaming gzip decompression with RFC 1952 header/trailer handling
src/GzipDecoder.cpp	Implements GzipDecoder with stub (disabled) and full (enabled via flag) implementations
src/third_party/miniz/*	Vendored miniz inflate implementation (tinfl) for gzip support
test/test_redirects/test_main.cpp	Adds tests for cross-origin header filtering and safe header allowlist mechanism
test/test_cookies/test_main.cpp	Adds tests for cookie domain attribute rejection and allowlist behavior
test/test_gzip_decode_native/test_main.cpp	New native test suite for gzip decoder with various chunking scenarios
platformio.ini	Adds compile test for gzip feature and updates native test filter
.github/workflows/test.yml	Adds gzip compile test to CI and extends native test coverage
.github/workflows/lint.yml	Excludes third_party directory from formatting and linting checks
README.md	Documents new API methods, cookie behavior, redirect policies, gzip support, and TLS security improvements
library.json, library.properties	Version bump to 1.1.4

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".