Skip to content

Only allow https: for links #2495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Only allow https: for links #2495

wants to merge 1 commit into from

Conversation

ekzyis
Copy link
Member

@ekzyis ekzyis commented Sep 8, 2025

Description

fix #2424

I think limiting links to https: should be okay. Here is the list of official URI schemes and I don't think we need any of them except https.

However, this now requires https: in the front. Before, no scheme was required, so stacker.news was a valid input. Now, it has to be https://stacker.news.

I am not sure if this is a UX problem. Browsers copy URLs with the scheme and I assume that's how most links are shared, and not by manually typing them etc.

Checklist

Are your changes backward compatible? Please answer below:

yes

On a scale of 1-10 how well and how have you QA'd this change and any features it might affect? Please answer below:

10. intent: no longer works but https: does

For frontend changes: Tested on mobile, light and dark mode? Please answer below:

n/a

Did you introduce any new environment variables? If so, call them out explicitly here:

no

huumn
huumn requested changes Sep 8, 2025
View reviewed changes
Copy link
Member

@huumn huumn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you want to whitelist protocols, that's fine, but this is a UX downgrade to whitelist a single protocol.

What about an onion address (that commonly is not https) or an ftp link or an npub (which we recognize as a 'url')? What about a developer that just launched a product at mywebsite.com and wants to promote it?

I personally hate when a website tells me invalid url or must specify https when I input a link without the awkward https://. If you know I must specify https, do it for me.

@ekzyis
Copy link
Member Author

ekzyis commented Sep 8, 2025
edited
Loading

What about an onion address (that commonly is not https) or an ftp link or an npub (which we recognize as a 'url')? What about a developer that just launched a product at mywebsite.com and wants to promote it?

Mhh, good points, didn't think of onion, npubs and that HTTP can make sense for new websites.

Regarding FTP, Chrome and Firefox (not sure about Safari) don't support it anymore (out-of-the-box) so I thought we don't need to allow it if most users can't open that link with their user agent. But I changed my mind, it can still make sense to share a link even if the user agent can't open it (similar for onion addresses).

I personally hate when a website tells me invalid url or must specify https when I input a link without the awkward https://. If you know I must specify https, do it for me.

I agree, this should be part of transform before validation

@ekzyis ekzyis marked this pull request as draft September 8, 2025 16:50
@ekzyis ekzyis added the priority:low 0.5x label Sep 10, 2025
@adlai
Copy link

adlai commented Sep 13, 2025
edited
Loading

The original description should make it clear that this has absolutely nothing to do with HTTP-insecure; and I should stop triggering notifications before yet another ostracism.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@huumn huumn huumn requested changes

Assignees
No one assigned
Labels
bug priority:low 0.5x ui/ux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

intent:// Scheme Injection
3 participants
@ekzyis @adlai @huumn