Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions articles/flow/configuration/properties.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -137,11 +137,6 @@
Default: `false` +
Mode: Runtime

`**com.vaadin.safeUrlSchemes**`::
[since:com.vaadin:vaadin@V25.2]#Comma-separated list of URL schemes that are considered safe# in URLs passed to [methodname]`Anchor.setHref()`, [methodname]`IFrame.setSrc()`, and [methodname]`Page.open()`. URLs whose scheme isn't in the list are rejected with an `IllegalArgumentException`. Relative URLs are always accepted. An entry of `*` marks every scheme as safe, disabling the validation. URLs with unsafe schemes can still be set through the dedicated unsafe setters, such as [methodname]`Anchor.setUnsafeHref()`. +
Default: `http,https,mailto,tel,ftp` +
Mode: Runtime

`**devmode.componentTracker.enabled**`::
Enable component tracking in development mode. +
Default: `true` +
Expand Down Expand Up @@ -347,6 +342,11 @@
Default: `false` +
Mode: Build

`**safeUrlSchemes**`::
[since:com.vaadin:vaadin@V25.2]#Comma-separated list of URL schemes that are considered safe# in URLs passed to [methodname]`Anchor.setHref()`, [methodname]`IFrame.setSrc()`, and [methodname]`Page.open()`. URLs whose scheme isn't in the list are rejected with an `IllegalArgumentException`. Relative URLs are always accepted. An entry of `*` marks every scheme as safe, disabling the validation. URLs with unsafe schemes can still be set through the dedicated unsafe setters, such as [methodname]`Anchor.setUnsafeHref()`. In Vaadin 25.2.1 this parameter was named `com.vaadin.safeUrlSchemes`; that name is deprecated but still recognized for backwards compatibility. +

Check warning on line 346 in articles/flow/configuration/properties.adoc

View workflow job for this annotation

GitHub Actions / lint

[vale] reported by reviewdog 🐶 [Vaadin.Versions] Don't refer to a specific Vaadin version. Raw Output: {"message": "[Vaadin.Versions] Don't refer to a specific Vaadin version.", "location": {"path": "articles/flow/configuration/properties.adoc", "range": {"start": {"line": 346, "column": 526}}}, "severity": "WARNING"}
Default: `http,https,mailto,tel,ftp` +
Mode: Runtime

`**syncIdCheck**`::
Enables synchronized ID checking. The synchronized ID is used to handle situations in which the client sends a message to a connector that has been removed from the server. It's set to `true`, by default. You should only disable it if your application doesn't need to stay synchronized, and suffers from a bad network connection. +
Default: `true` +
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ Pass a method reference or a lambda that builds the [classname]`Safelist`, rathe

URLs using a script-capable scheme, such as `javascript:`, are another common XSS vector. Vaadin validates URLs passed to [methodname]`Anchor.setHref(String)`, [methodname]`IFrame.setSrc(String)`, and [methodname]`Page.open(String)` against a list of safe schemes, and these methods throw an [classname]`IllegalArgumentException` if the scheme isn't considered safe. By default, the `http`, `https`, `mailto`, `tel`, and `ftp` schemes are accepted. Relative URLs have no scheme and are always accepted.

The set of safe schemes can be customized with the `com.vaadin.safeUrlSchemes` configuration parameter, which takes a comma-separated list of schemes. An entry of `*` marks every scheme as safe, disabling the validation. See <<{articles}/flow/configuration/properties#,Configuration Properties>> for how to set the parameter.
The set of safe schemes can be customized with the `safeUrlSchemes` configuration parameter, which takes a comma-separated list of schemes. An entry of `*` marks every scheme as safe, disabling the validation. See <<{articles}/flow/configuration/properties#,Configuration Properties>> for how to set the parameter.

If a URL is fully under your control and known to be safe, you can bypass the validation for that URL with the dedicated unsafe setters: [methodname]`Anchor.setUnsafeHref(String)`, [methodname]`IFrame.setUnsafeSrc(String)`, and [methodname]`Page.openUnsafe(String)`.

Expand Down
2 changes: 1 addition & 1 deletion articles/upgrading/index.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -1047,7 +1047,7 @@ Vaadin 25.2 hardens some security-related defaults. These changes may require ac

Starting with Vaadin 25.2, URLs passed to [methodname]`Anchor.setHref(String)`, [methodname]`IFrame.setSrc(String)`, and [methodname]`Page.open(String)` are validated against a list of safe URL schemes. By default, the `http`, `https`, `mailto`, `tel`, and `ftp` schemes are accepted; relative URLs are always accepted. Applications that set URLs with other schemes -- such as `javascript:` -- now get an [classname]`IllegalArgumentException` from these methods.

If your application needs to set such URLs, either configure the accepted schemes with the `com.vaadin.safeUrlSchemes` configuration parameter -- a comma-separated list of schemes, where the value `*` disables the validation -- or use the unsafe setter variants [methodname]`Anchor.setUnsafeHref(String)`, [methodname]`IFrame.setUnsafeSrc(String)`, and [methodname]`Page.openUnsafe(String)` for URLs that are fully under your control. See <<{articles}/flow/security/advanced-topics/vulnerabilities#,Common Vulnerabilities>> for details.
If your application needs to set such URLs, either configure the accepted schemes with the `safeUrlSchemes` configuration parameter -- a comma-separated list of schemes, where the value `*` disables the validation -- or use the unsafe setter variants [methodname]`Anchor.setUnsafeHref(String)`, [methodname]`IFrame.setUnsafeSrc(String)`, and [methodname]`Page.openUnsafe(String)` for URLs that are fully under your control. See <<{articles}/flow/security/advanced-topics/vulnerabilities#,Common Vulnerabilities>> for details.

=== X-Frame-Options Header Sent by Default

Expand Down
Loading