Skip to content

docs: document opt-in safeUrlSchemes configuration parameter (CP: 23)#5793

Open
mcollovati wants to merge 1 commit into
v23from
docs/safeUrlScheme-backport-v23
Open

docs: document opt-in safeUrlSchemes configuration parameter (CP: 23)#5793
mcollovati wants to merge 1 commit into
v23from
docs/safeUrlScheme-backport-v23

Conversation

@mcollovati

Copy link
Copy Markdown
Contributor

Backport of #5775 to the v23 branch.

As on the newer backports (#5790, #5791, #5792), the URL scheme validation is opt-in (disabled by default): the safeUrlSchemes parameter defaults to *, so every scheme is accepted unless the parameter is set. There is no com.vaadin.safeUrlSchemes legacy name.

Adapted to the v23 documentation layout (articles/configuration/properties.asciidoc three-column table; articles/security/advanced-topics/vulnerabilities.asciidoc for the Unsafe URL Schemes topic, plain code spans). A note points out that the default flips to enabled in Vaadin 25.2 so users are aware of the behavior change when migrating.

Part of vaadin/flow#24924

🤖 Generated with Claude Code

Flow adds URL scheme validation for `Anchor.setHref()`,
`IFrame.setSrc()` and `Page.open()`, but the validation is opt-in:
URLs of any scheme are accepted unless the `safeUrlSchemes` parameter
is set.

Document the `safeUrlSchemes` parameter and the Unsafe URL Schemes
security topic, and note that the default flips to enabled in Vaadin
25.2 so users are aware of the change when migrating.

Part of vaadin/flow#24924
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant