net/http: document panic behavior of `CrossOriginProtection.AddInsecureBypassPattern`

[gazerro]

The CrossOriginProtection.AddInsecureBypassPattern method of the net/http package panics if the given pattern conflicts with one that is already bypassed.

This could be inferred from the method's documentation, which states:

The pattern syntax and precedence rules are the same as [ServeMux](https://pkg.go.dev/net/http@go1.25.0#ServeMux).

However, in the ServeMux documentation it is explicitly noted that ServeMux.Handle and ServeMux.HandleFunc may panic, while this is not mentioned for CrossOriginProtection.AddInsecureBypassPattern.

I suggest updating the documentation of both AddInsecureBypassPattern and ServeMux to clearly indicate which methods may panic in case of a conflict.

[gabyhelp]

Related Issues

• net/http: `CrossOriginProtection` insecure bypass patterns not limited to exact matches #75054 (closed)

Related Documentation

• Package http > type CrossOriginProtection 1.25 > func (*CrossOriginProtection) AddInsecureBypassPattern 1.25

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[prattmic]

cc @FiloSottile @golang/security

[neild]

Seems reasonable to me.

[colegarien]

Hi, I’d like to take this issue. I’ve prepared a PR here that updates the doc comments on ServeMux.Handle, ServeMux.HandleFunc, and CrossOriginProtection.AddInsecureBypassPattern to explicitly mention panic conditions for both conflicts and invalid patterns.

[gopherbot]

Change https://go.dev/cl/701016 mentions this issue: net/http: clarify panic conditions in Handle, HandleFunc, AddInsecureBypassPattern