The Fix
Upgrade to version 0.7.2 or later.
Based on closed encode/httpx issue #165 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -110,6 +110,7 @@ True
* `def __init__(url)`
+* `.scheme` - **str**
* `.is_ssl` - **bool**
* `.host` - **str**
repro.py
class Origin:
"""
The URL scheme and authority information, as a comparable, hashable object.
"""
def __init__(self, url: URLTypes) -> None:
if not isinstance(url, URL):
url = URL(url)
self.scheme = url.scheme
self.is_ssl = url.is_ssl
self.host = url.host
self.port = url.port
def __eq__(self, other: typing.Any) -> bool:
return (
isinstance(other, self.__class__)
and self.scheme == other.scheme
and self.host == other.host
and self.port == other.port
)
def __hash__(self) -> int:
return hash((self.scheme, self.host, self.port))
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\nUpgrade to version 0.7.2 or later.\nWhen NOT to use: This fix should not be used if the is_ssl parameter is required for other functionalities.\n\n
Why This Fix Works in Production
- Trigger: Origin should be (scheme, host, port) not (is_ssl, host, port)
- Mechanism: Changes the Origin class to use the URL scheme instead of is_ssl for comparison purposes, resolving issue #165.
- Why the fix works: Changes the Origin class to use the URL scheme instead of is_ssl for comparison purposes, resolving issue #165. (first fixed release: 0.7.2).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- Production symptom (often without a traceback): Origin should be (scheme, host, port) not (is_ssl, host, port)
Proof / Evidence
- GitHub issue: #165
- Fix PR: https://github.com/encode/httpx/pull/168
- First fixed release: 0.7.2
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.52
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“It's an easy change, but what about this? Could potentially just add .scheme and keep .is_ssl around as well:”
“Yeah we can keep the is_ssl parameter on the Origin class. Did you want to turn that mockup into a PR? :D”
Failure Signature (Search String)
- Origin should be (scheme, host, port) not (is_ssl, host, port)
- Example: `http+unix//localhost` and `http://localhost` would currently have the same origin despite being a different scheme. Change this by using URL.scheme instead of is_ssl.
Copy-friendly signature
signature.txt
Failure Signature
-----------------
Origin should be (scheme, host, port) not (is_ssl, host, port)
Example: `http+unix//localhost` and `http://localhost` would currently have the same origin despite being a different scheme. Change this by using URL.scheme instead of is_ssl.
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
Origin should be (scheme, host, port) not (is_ssl, host, port)
Example: `http+unix//localhost` and `http://localhost` would currently have the same origin despite being a different scheme. Change this by using URL.scheme instead of is_ssl.
Minimal Reproduction
repro.py
class Origin:
"""
The URL scheme and authority information, as a comparable, hashable object.
"""
def __init__(self, url: URLTypes) -> None:
if not isinstance(url, URL):
url = URL(url)
self.scheme = url.scheme
self.is_ssl = url.is_ssl
self.host = url.host
self.port = url.port
def __eq__(self, other: typing.Any) -> bool:
return (
isinstance(other, self.__class__)
and self.scheme == other.scheme
and self.host == other.host
and self.port == other.port
)
def __hash__(self) -> int:
return hash((self.scheme, self.host, self.port))
What Broke
Different URL schemes were treated as the same origin, causing potential security issues.
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
Upgrade to version 0.7.2 or later.
When NOT to use: This fix should not be used if the is_ssl parameter is required for other functionalities.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/encode/httpx/pull/168
First fixed release: 0.7.2
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix should not be used if the is_ssl parameter is required for other functionalities.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 0.7.2 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.