fix: compare full origin (scheme+host+port) in is_same_site

mesop/server/server_utils.py

@@ -84,15 +84,19 @@ def create_update_state_event(diff: bool = False) -> str:
 
 def is_same_site(url1: str | None, url2: str | None):
   """
-  Determine if two URLs are the same site.
+  Determine if two URLs have the same origin (scheme + hostname + port).
   """
   # If either URL is false-y, they are not the same site
   # (because we need a real URL to have an actual site)
   if not url1 or not url2:
     return False
   try:
     p1, p2 = urlparse.urlparse(url1), urlparse.urlparse(url2)
-    return p1.hostname == p2.hostname
+    return (
+      p1.scheme == p2.scheme
+      and p1.hostname == p2.hostname
+      and p1.port == p2.port
+    )
   except ValueError:
     return False
 

mesop/server/server_utils_test.py

@@ -34,3 +34,28 @@ def test_prefix_base_url_no_base():
   with patch.object(env, "MESOP_BASE_URL_PATH", ""):
     reload_utils()
     assert su.prefix_base_url("/foo") == "/foo"
+
+
+def test_is_same_site_identical():
+  assert (
+    su.is_same_site("http://localhost:32123", "http://localhost:32123/") is True
+  )
+
+
+def test_is_same_site_different_ports():
+  assert (
+    su.is_same_site("http://localhost:32123", "http://localhost:8080") is False
+  )
+
+
+def test_is_same_site_different_schemes():
+  assert su.is_same_site("http://example.com", "https://example.com") is False
+
+
+def test_is_same_site_different_hosts():
+  assert su.is_same_site("http://evil.com", "http://localhost:32123") is False
+
+
+def test_is_same_site_none():
+  assert su.is_same_site(None, "http://localhost:32123") is False
+  assert su.is_same_site("http://localhost:32123", None) is False