remove suffix matching from host whitelist

Signatures are per-URL, so the whitelist should only support exact host
matches. Remove the suffix/wildcard matching that allowed patterns like
'.example.com' to bypass signature requirements for entire domain trees.

Leading dots in existing config entries are now stripped, so '.example.com'
becomes 'example.com' as an exact match (backwards-compatible normalisation).

internal/imgcache/whitelist.go

@@ -5,23 +5,20 @@ import (
 	"strings"
 )
 
-// HostWhitelist implements the Whitelist interface for checking allowed source hosts.
+// HostWhitelist checks whether a source host is allowed without a signature.
+// Only exact host matches are supported. Signatures are per-URL, so
+// wildcard/suffix matching is intentionally not provided.
 type HostWhitelist struct {
 	// exactHosts contains hosts that must match exactly (e.g., "cdn.example.com")
 	exactHosts map[string]struct{}
-	// suffixHosts contains domain suffixes to match (e.g., ".example.com" matches "cdn.example.com")
-	suffixHosts []string
 }
 
-// NewHostWhitelist creates a whitelist from a list of host patterns.
-// Patterns starting with "." are treated as suffix matches.
-// Examples:
-//   - "cdn.example.com" - exact match only
-//   - ".example.com" - matches cdn.example.com, images.example.com, etc.
+// NewHostWhitelist creates a whitelist from a list of hostnames.
+// Each entry is treated as an exact host match. Leading dots are
+// stripped so that legacy ".example.com" entries become "example.com".
 func NewHostWhitelist(patterns []string) *HostWhitelist {
 	w := &HostWhitelist{
-		exactHosts:  make(map[string]struct{}),
-		suffixHosts: make([]string, 0),
+		exactHosts: make(map[string]struct{}),
 	}
 
 	for _, pattern := range patterns {
@@ -30,9 +27,11 @@ func NewHostWhitelist(patterns []string) *HostWhitelist {
 			continue
 		}
 
-		if strings.HasPrefix(pattern, ".") {
-			w.suffixHosts = append(w.suffixHosts, pattern)
-		} else {
+		// Strip leading dot — suffix matching is no longer supported;
+		// ".example.com" is normalised to "example.com" as an exact entry.
+		pattern = strings.TrimPrefix(pattern, ".")
+
+		if pattern != "" {
 			w.exactHosts[pattern] = struct{}{}
 		}
 	}
@@ -40,7 +39,7 @@ func NewHostWhitelist(patterns []string) *HostWhitelist {
 	return w
 }
 
-// IsWhitelisted checks if a URL's host is in the whitelist.
+// IsWhitelisted checks if a URL's host is in the whitelist (exact match only).
 func (w *HostWhitelist) IsWhitelisted(u *url.URL) bool {
 	if u == nil {
 		return false
@@ -51,32 +50,17 @@ func (w *HostWhitelist) IsWhitelisted(u *url.URL) bool {
 		return false
 	}
 
-	// Check exact match
-	if _, ok := w.exactHosts[host]; ok {
-		return true
-	}
+	_, ok := w.exactHosts[host]
 
-	// Check suffix match
-	for _, suffix := range w.suffixHosts {
-		if strings.HasSuffix(host, suffix) {
-			return true
-		}
-		// Also match if host equals the suffix without the leading dot
-		// e.g., pattern ".example.com" should match "example.com"
-		if host == strings.TrimPrefix(suffix, ".") {
-			return true
-		}
-	}
-
-	return false
+	return ok
 }
 
 // IsEmpty returns true if the whitelist has no entries.
 func (w *HostWhitelist) IsEmpty() bool {
-	return len(w.exactHosts) == 0 && len(w.suffixHosts) == 0
+	return len(w.exactHosts) == 0
 }
 
 // Count returns the total number of whitelist entries.
 func (w *HostWhitelist) Count() int {
-	return len(w.exactHosts) + len(w.suffixHosts)
+	return len(w.exactHosts)
 }