Skip to content

docs: document opt-in safeUrlSchemes configuration parameter (CP: 25.0)#5791

Open
mcollovati wants to merge 1 commit into
v25.0from
docs/safeUrlScheme-backport-v25.0
Open

docs: document opt-in safeUrlSchemes configuration parameter (CP: 25.0)#5791
mcollovati wants to merge 1 commit into
v25.0from
docs/safeUrlScheme-backport-v25.0

Conversation

@mcollovati

Copy link
Copy Markdown
Contributor

Backport of #5775 to the v25.0 branch.

As on the 25.1 backport (#5790), the URL scheme validation is opt-in (disabled by default): the safeUrlSchemes parameter defaults to *, so every scheme is accepted unless the parameter is set. There is no com.vaadin.safeUrlSchemes legacy name.

Adapted to the v25.0 documentation format:

  • properties.adoc uses the five-column property table (added a safeUrlSchemes / vaadin.safeUrlSchemes row).
  • vulnerabilities.adoc gets the Unsafe URL Schemes section, using plain code spans to match the surrounding content on this branch.

A note points out that the default flips to enabled in Vaadin 25.2, so users are aware of the behavior change when migrating.

Part of vaadin/flow#24924

🤖 Generated with Claude Code

Flow adds URL scheme validation for `Anchor.setHref()`,
`IFrame.setSrc()` and `Page.open()`, but the validation is opt-in:
URLs of any scheme are accepted unless the `safeUrlSchemes` parameter
is set.

Document the `safeUrlSchemes` parameter and the Unsafe URL Schemes
security topic, and note that the default flips to enabled in Vaadin
25.2 so users are aware of the change when migrating.

Part of vaadin/flow#24924
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant