Description
Currently, allowing custom URI protocols (such as my-app://, internal://) requires overriding the entire ALLOWED_URI_REGEXP. This is error-prone, hard to maintain, and forces developers to copy-paste a complex internal regex just to add a single schema.
Proposal
I propose adding two new configuration options:
ADD_ALLOWED_PROTOCOLS: An array of strings to be merged into the default allowed list.ADD_DISALLOWED_PROTOCOLS: A way to explicitly block certain domains or patterns without touching the main regex.
Why?
Not everyone is a Regex expert; a simple mistake like missing a | could block safe protocols and accidentally create dangerous ones (example: merging http and https into a broken httphttps schema), which is a significant security risk.
Description
Currently, allowing custom URI protocols (such as
my-app://,internal://) requires overriding the entireALLOWED_URI_REGEXP. This is error-prone, hard to maintain, and forces developers to copy-paste a complex internal regex just to add a single schema.Proposal
I propose adding two new configuration options:
ADD_ALLOWED_PROTOCOLS: An array of strings to be merged into the default allowed list.ADD_DISALLOWED_PROTOCOLS: A way to explicitly block certain domains or patterns without touching the main regex.Why?
Not everyone is a Regex expert; a simple mistake like missing a
|could block safe protocols and accidentally create dangerous ones (example: merginghttpandhttpsinto a brokenhttphttpsschema), which is a significant security risk.