fix: X-Forwarded-Proto rejected when allowedDomains includes protocol field

[z0mt3c]

The protocol validation in validateForwardedHeaders() passed the full pattern object to matchPattern(), which also checked hostname against the hardcoded test URL (example.com). Pass only { protocol } to matchPattern() so that only the protocol field is validated; the host+proto combination is already checked in the host validation block below.

Fixes #15559

Changes

• Pass { protocol: pattern.protocol } instead of the full pattern to matchPattern() in the protocol validation block
• Changeset included

Testing

Added 4 unit tests in node.test.js covering the reverse proxy case (socket.encrypted: false):

• Accepts forwarded https when allowedDomains has protocol + hostname
• Rejects forwarded http when only https is allowed
• Accepts forwarded https with wildcard hostname pattern
• Constructs correct URL behind reverse proxy with all forwarded headers

Docs

No docs changes needed — this restores the documented behavior of security.allowedDomains.

[changeset-bot]

🦋 Changeset detected

Latest commit: 31af714

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[codspeed-hq]

Merging this PR will improve performance by 32.87%

⚡ 2 improved benchmarks
✅ 7 untouched benchmarks

Performance Changes

	Mode	Benchmark	BASE	HEAD	Efficiency
⚡	Simulation	Build: hybrid site (static + server)	8.5 s	7.7 s	+10.59%
⚡	Simulation	Rendering: streaming [false], .md file	1.5 ms	1.1 ms	+32.87%

---

_{Comparing z0mt3c:fix/forwarded-proto-allowed-domains (31af714) with main (7be3308)¹}

Footnotes

1. No successful run was found on main (55c568c) during the generation of this report, so 7be3308 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩