Add URL parameter support to cors-fetch

[simonw]

• Read ?url=... parameter on page load and auto-fetch
• Update page URL with ?url=... when making fetch requests
• Allows sharing direct links to test specific URLs

---

Make cors-fetch work by updating the page URL to include ?url=… and have it fetch that URL when the page loads if it has been provided

[claude]

Claude finished @simonw's task —— View job

---

PR Review: Add URL parameter support to cors-fetch

Todo List

• Read the repository's CLAUDE.md file for guidelines
• Examine the changed file (cors-fetch.html)
• Analyze code quality and best practices
• Check for potential bugs or issues
• Review performance considerations
• Assess security concerns
• Evaluate test coverage
• Provide comprehensive review feedback

Code Review Analysis

I've thoroughly reviewed the URL parameter support implementation. Overall, this is a well-implemented feature that enhances the tool's usability by allowing direct URL sharing. Here's my detailed feedback:

✅ Strengths

Code Quality & Best Practices:

• Clean, readable JavaScript implementation following established patterns in the codebase
• Proper separation of concerns with dedicated functions (getUrlParam(), updatePageUrl())
• Good error handling and URL validation using new URL() constructor
• Consistent code style with existing functions

User Experience:

• Seamless integration - URL updates happen on both button click and Enter keypress
• Auto-fetch on page load provides immediate value when sharing links
• Non-intrusive - doesn't break existing functionality

⚠️ Areas for Improvement

Security Considerations:

1. URL Validation Gap (cors-fetch.html:497-499): The auto-fetch functionality bypasses the URL validation that manual requests go through. Consider validating the URL parameter:

   if (initialUrl) {
     try {
       new URL(normalizeUrl(initialUrl));
       urlInput.value = initialUrl;
       doFetch();
     } catch (e) {
       console.warn('Invalid URL parameter:', initialUrl);
     }
   }

2. XSS Prevention: While the current implementation doesn't directly output the URL parameter to DOM without validation, consider sanitizing URL parameters to prevent potential XSS if the code evolves.

Performance & UX:

1. Auto-fetch Behavior (cors-fetch.html:499): Auto-fetching on page load could be unexpected for users and may consume bandwidth unnecessarily. Consider adding a confirmation or making it optional.

2. History Management (cors-fetch.html:467): Using history.replaceState() is appropriate, but consider preserving other query parameters if they exist in the original URL.

🧪 Test Coverage

Missing Test Coverage:

• No automated tests for the new URL parameter functionality
• Manual testing scenarios to consider:
  • Valid URL parameter with auto-fetch
  • Invalid URL parameter handling
  • URL parameter with special characters
  • Multiple query parameters preservation
  • Browser back/forward behavior with URL updates

🔍 Code Improvements

Minor Enhancement Opportunities:

1. URL Parameter Sanitization (cors-fetch.html:473-475):

   function getUrlParam() {
     const params = new URLSearchParams(window.location.search);
     const url = params.get("url");
     return url ? decodeURIComponent(url.trim()) : null;
   }

2. Preserve Existing Query Parameters (cors-fetch.html:465-467):

   function updatePageUrl(fetchUrl) {
     if (fetchUrl) {
       const newUrl = new URL(window.location.href);
       newUrl.searchParams.set("url", fetchUrl);
       // Preserve other existing parameters
       history.replaceState(null, "", newUrl.toString());
     }
   }

📊 Overall Assessment

This is a solid implementation that delivers the promised functionality cleanly. The code integrates well with the existing codebase and follows good practices. The main concerns are around input validation for the auto-fetch feature and the lack of test coverage.

Recommendation: ✅ Approved with minor suggestions

The implementation successfully delivers shareable CORS testing links with minimal risk. The suggested security improvements are precautionary rather than critical fixes.