New security check on external URLs
Last modified by Vincent Massol on 2025/10/20 16:49
A new security mechanism related to URLs has been put in place in XWiki to inform users when they click on a link leading to an external URL that does not belong to the list of trusted domains. This mechanism reuses the list of trusted domains that can be configured in xwiki.properties, and a new configuration has also been provided to allow specifying specific URLs that can be accessed without any warning from the frontend. Finally it's possible to also disable the new security mechanism thanks to a dedicated configuration.
#-# [Since 17.9.0RC1]
#-# [Since 17.4.6]
#-# [Since 16.10.13]
#-# Allow to enable or disable checks performed when clicking links in the UI based on the list of trusted domains.
#-#
#-# By default this property is set to true:
# url.frontendUrlCheckEnabled=true
#-# [Since 17.9.0RC1]
#-# [Since 17.4.6]
#-# [Since 16.10.13]
#-# Allow to allow specific URLs to be accessible from the frontend without asking confirmation, and without
#-# needing to allow and entire domain. The expected format is absolute URLs separated by commas, e.g.:
#-# https://github.com/xwiki/xwiki-platform,https://www.xwiki.org/xwiki/bin/view/Main/WebHome
#-#
#-# By default this property is empty:
# url.allowedFrontendUrls=
