import java.util.List;
import org.jspecify.annotations.Nullable;

/**
 * An immutable well-formed internet domain name, such as {@code com} or {@code foo.co.uk}. Only
 * syntactic analysis is performed; no DNS lookups or other network interactions take place. Thus
 * there is no guarantee that the domain actually exists on the internet.
 *
 * <p>One common use of this class is to determine whether a given string is likely to represent an

Then the malicious website could make the local AI agent send angry messages to the user's ex-boss... or worse. 😅

## Open Internet { #open-internet }

If your app is in the open internet, you wouldn't "trust the network" and let anyone send privileged requests without authentication.

    "Programming Language :: Python :: 3.11",
    "Programming Language :: Python :: 3.12",
    "Programming Language :: Python :: 3.13",
    "Programming Language :: Python :: 3.14",
    "Topic :: Internet :: WWW/HTTP :: HTTP Servers",
    "Topic :: Internet :: WWW/HTTP",
]
dependencies = [
    "starlette>=0.46.0",
    "pydantic>=2.9.0",
    "typing-extensions>=4.8.0",
    "typing-inspection>=0.4.2",
    "annotated-doc>=0.0.2",
]

      acceptedIssuers
        .map { it.subjectDN.name }
        .toSet()

    // It's safe to assume all platforms will have a major Internet certificate issuer.
    val majorIssuers =
      listOf(
        "DigiCert",
        "Let's Encrypt",
        "ISRG", // Internet Security Research Group (Let's Encrypt parent)
        "GlobalSign",
        "Comodo",
        "Sectigo",
        "GeoTrust",

## Self-hosting JavaScript and CSS for docs { #self-hosting-javascript-and-css-for-docs }

Self-hosting the JavaScript and CSS could be useful if, for example, you need your app to keep working even while offline, without open Internet access, or in a local network.

Here you'll see how to serve those files yourself, in the same FastAPI app, and configure the docs to use them.

### Project file structure { #project-file-structure }

   *
   * [rfc_7540_34]: https://datatracker.ietf.org/doc/html/rfc7540#autoid-10
   */
  H2_PRIOR_KNOWLEDGE("h2_prior_knowledge"),

  /**
   * QUIC (Quick UDP Internet Connection) is a new multiplexed and secure transport atop UDP,
   * designed from the ground up and optimized for HTTP/2 semantics. HTTP/1.1 semantics are layered
   * on HTTP/2.
   *

http://localhost:8000/v1/agents/multivac
```

尽管恶意网站与本地应用的主机不同，浏览器仍不会触发 CORS 预检请求，原因是：

- 请求不涉及任何认证，无需发送凭据。
- 浏览器认为它并未发送 JSON（因为缺少 `Content-Type` 头）。

于是，该恶意网站就可能让本地 AI 代理替用户向前老板发送愤怒消息……甚至更糟。😅

## 开放的互联网 { #open-internet }

如果你的应用部署在开放的互联网，你不会“信任网络”，也不会允许任何人不经认证就发送特权请求。

攻击者完全可以直接运行脚本向你的 API 发送请求，无需借助浏览器交互，因此你很可能已经对任何特权端点做好了安全防护。

在这种情况下，以上攻击/风险不适用于你。

该风险/攻击主要发生在应用运行于本地网络、且“仅依赖网络隔离作为保护”的场景。

```

Examples:

Source (English):

```
<abbr title="Internet of Things">IoT</abbr>
<abbr title="Central Processing Unit">CPU</abbr>
<abbr title="too long; didn't read"><strong>TL;DR:</strong></abbr>
```

Result (German):

```
<abbr title="Internet of Things - Internet der Dinge">IoT</abbr>
<abbr title="Central Processing Unit - Zentrale Verarbeitungseinheit">CPU</abbr>

```

即使惡意網站與本機應用的主機不同，瀏覽器也不會觸發 CORS 預檢請求，因為：

- 它在未經任何身分驗證的情況下執行，不需要送出任何憑證。
- 由於缺少 `Content-Type` 標頭，瀏覽器認為它並未傳送 JSON。

接著，惡意網站就能讓本機的 AI 代理替使用者向前老闆發飆傳訊... 或做更糟的事。😅

## 公開的網際網路 { #open-internet }

如果你的應用部署在公開的網際網路上，你不會「信任網路」而允許任何人在未經身分驗證的情況下發送具權限的請求。

攻擊者可以直接執行腳本向你的 API 發送請求，無需透過瀏覽器互動，因此你多半已經對任何具權限的端點做了防護。

在這種情況下，這種攻擊／風險不適用於你。

此風險與攻擊主要與應用只在本機或內部網路上執行，且「僅依賴此為保護」的情境相關。

### [URLs](https://square.github.io/okhttp/5.x/okhttp/okhttp3/-http-url/)

URLs (like `https://github.com/square/okhttp`) are fundamental to HTTP and the Internet. In addition to being a universal, decentralized naming scheme for everything on the web, they also specify how to access web resources.

URLs are abstract: