shipfeedAI news, curated daily

05:49:02 CET
14 JUL05:49:02shipfeed
pull to refreshlast sync
Just in — 30 new
§ tools · storyline

Validates provider-response URLs to block redirects

Anthropic's AI SDK adds URL validation to block unsafe redirects in provider responses while preserving developer-configured endpoints.

yesterday · · primary fetch1 sourceupdated yesterday ·

Patch Changes 4be62c1: fix(provider-utils): validate provider-response URLs in `getFromApi` `getFromApi` now has a `validateUrl` flag. It is optional so existing callers keep compiling (omitting it behaves like `false`, i.e. no validation), but all AI SDK provider packages set it explicitly at every call site so each one makes a visible trust decision. When `true`, the URL is routed through `fetchWithValidatedRedirects` — the same guard used by `downloadBlob` — which rejects private/loopback/link-local targets, re-validates every redirect hop, strips proxy/metadata/cookie request headers, and drops all caller headers except the user-agent on cross-origin redirects (custom API-key headers must not follow a redirect off-origin any more than `Authorization` may); blocked URLs throw `DownloadError`.

It is enabled at the image/video/audio download and polling call sites where the URL comes from a provider response body; URLs built from developer-configured endpoints pass `validateUrl: false` and are unaffected. A new optional `credentialedOrigin` withholds caller headers unless the URL is same-origin with it, so the API key is not sent to a response-supplied host on a different…

read full article on github.com
§ sources1 publication · timeline below
  1. github.comVercel AI SDK — xai v4.0.12primary