Thanks to visit codestin.com
Credit goes to github.com

Skip to content

security: Allow hostnames starting with digits in default security.http.urls #14837

Closed
#14840
Closed
security: Allow hostnames starting with digits in default security.http.urls#14837
#14840
Assignees
bep
Labels
EnhancementOutdated
@jmooring

Description

@jmooring
jmooring
opened on Apr 30, 2026

The current default configuration for security.http.urls prevents resources.GetRemote from fetching assets from domains that begin with a digit (e.g., 1password.com, 37signals.com).

Suggesting changing this:

URLs: MustNewWhitelist(
	`(?i)^https?://[a-z]`,
	`! (?i)localhost`,
	`! (?i)^https?://[^/?#]*@`,
),

To this:

URLs: MustNewWhitelist(
	`(?i)^https?://[a-z0-9]`,
	`! (?i)localhost`,
	`! (?i)^https?://[^/?#]*@`,
),

Metadata

Metadata

Assignees

Labels

EnhancementOutdated

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions