@SniperSister There are some changes to TUF related code which I do not understand the internal yet. I'm unsure if test update Joomla use Custom update server cover it or not. Could you please help reviewing to make sure it is OK, thanks.

@joomdonation
Too much code duplication, it's better to keep using framework HTTP class but keep \Joomla\CMS\Http\HttpFactory which will auto-inject header by default (like in current 6.0.1)? CMS factory should be just rewritten a bit.
It's normal to use framework package but have CMS-specific factory which will resolve HTTP class with CMS-specific options.

@AlterBrains Thanks for your feedback and Yes, I agree with you that there is too much code duplication and that should be improved. However :

• If we modify code of CMS http factory to return framework http object, I haven't checked but I expect there would be difference between http from framework with the one from CMS, so we will have the risk with b/c break
• To be safe, I proposed to introduce a new method getHttpClient which return http object from framework, with default userAgent auto-injected. That would work. But @HLeithner suggested that we explode the idea of pushing http factor to container and then inject it automatically to model/controller when it is needed. That would take more time to implement, review and testing, so not suitable for a bug fix release

So think about this PR as a bugs fix to avoid these http requests being blocked by WAF as described in original issue due to missing user-agent. And then we will have to more to implement a proper solution in 6.1

There are some changes to TUF related code which I do not understand the internal yet. I'm unsure if test update Joomla use Custom update server cover it or not. Could you please help reviewing to make sure it is OK, thanks.

LGTM

So think about this PR as a bugs fix to avoid these http requests being blocked by WAF as described in original issue due to missing user-agent. And then we will have to more to implement a proper solution in 6.1

Maybe a simple fix is just to reset back a default userAgent in the framework HttpFactory as it is done in CMS http package (used in updater before 6.0).

I did a PR on framework for that: joomla-framework/http#71

The changes were introduced by this PR: #45751

I did a PR on framework for that: joomla-framework/http#71

@cyrez The framework is independent with the CMS, we do not have CMS version available, so your PR would not work.

I did a PR on framework for that: joomla-framework/http#71

@cyrez The framework is independent with the CMS, we do not have CMS version available, so your PR would not work.

Oh yes, you're right!

Updated it, tested and it works now (at least with the firewall on my hosting).

Updated it, tested and it works now (at least with the firewall on my hosting).

Did you mean you tested this PR? If Yes, could you please report your test result? The issue addressed in this PR should be fixed

I have tested this item ✅ successfully on dfd421d

Tested succesfully for this dfd421d as per the testing instruction .

Updated it, tested and it works now (at least with the firewall on my hosting).

Did you mean you tested this PR? If Yes, could you please report your test result? The issue addressed in this PR should be fixed

No, i meant the PR i did in the framework.

Updated it, tested and it works now (at least with the firewall on my hosting).

Did you mean you tested this PR? If Yes, could you please report your test result? The issue addressed in this PR should be fixed

I will test it tomorrow, during PBF.
Could you maybe review the test instructions?
As it could be Joomla 6.0.2.
Too, is the URL https://artifacts.joomla.org/drone/joomla/joomla-cms/6.0-dev/46553/downloads/89844/pr_list.xml still valid?

About your test instructions, i supposed it fails before patch, and works after patch?

This could help to get more testers from PBF ;-)

On my side, i will do test with my own extension and own hosting server, enabling their firewall (which makes update fail) to test if it works with your patch. But by reviewing your code changes, it seems to be ok.

Thanks!

Thanks @cyrez . I updated testing instructions. The PR was from sometime ago, so the old download is not available anymore. I updated the testing instructions to use new URL https://artifacts.joomla.org/drone/joomla/joomla-cms/6.0-dev/46553/downloads/90762/pr_list.xml .

I have tested this item ✅ successfully on 72a83b8

• Test update Joomla OK.
• Test with my third-party extensions update from a update server xml on a hosting server with firewall enabled (OVH) OK (without this patch, error 403 on update. Patch applied, update runs normally).
• Test change to Languages model: all is good. Can retrieve list of languages and install new translation packs.

Thank you @joomdonation

I have tested this item ✅ successfully on 72a83b8

Hi @joomdonation - I was able to test this successfully!

Joomla update = 👍
Installed 2 different 3rd party extensions update = 👍
Installed additional German Languages model = 👍
I don't have a YubiKey so couldn't test that but tried PassKey Multifactor (unsure if that helped) = 👍

:)

I tried to test the PR. Here is what I did:

• Tested locally using Laragon
• Started from a 6.0.2 with Patchtester 5.0.1
• Applied the patch from this PR
• Successfully updated using the Custom URL given
• Randomly tested some functionality in backend
• Displayed frontend
• Installed Akeeba Backup 10.0.3
• Checked for updates and successfully updated to Akeeba Backup 10.2.2
• Configured Akeeba Backup output directory and did a backup
• Tested the GET Request scheduled task (Target: www.neudorf-mkk.de, intervall 1 min)
• Tested the Joomla Statistics plugin
• Did not test MFA via Yubikey (I don't have one)
• Successfully tested MFA via Passkey (Windows 11)
• Installed German language, set it as default, and as content language

But checking the access log, I couldn't find any user agents. Here is the access log:
accesslog_46553.zip

Is this related to my basic setup (Laragon on localhost, Windows 11)? Or did I miss something? Do I have to set a backend option?

@dautrich Thanks for testing. In this case, these requests are sent to external servers, not the server where you site is hosted. So the user agent will be shown in access logs of these external servers (like Joomla server will you update Joomla, Akeeba server when you update Akeeba Backup....).

With your tests, all your operations are completed without any issues, so I will still count this as a success test.

RTC

I have tested this item ✅ successfully on 72a83b8

@joomdonation

@dautrich Thanks for testing. In this case, these requests are sent to external servers, not the server where you site is hosted. So the user agent will be shown in access logs of these external servers (like Joomla server will you update Joomla, Akeeba server when you update Akeeba Backup....).

With your tests, all your operations are completed without any issues, so I will still count this as a success test.

You're perfectly right! The Get Request Task I used for testing went to one of my sites. I was able to find several of the resulting entries in my server's log:

185.17.205.0 - - [31/Jan/2026:18:22:35 +0100] "GET / HTTP/2.0" 200 68619 "-" "Mozilla/5.0 Joomla!/6.0.3-dev+pr.46553 Joomla"