Function: validateHttpUrlCandidate()
function validateHttpUrlCandidate(
rawUrl: unknown,
options?: {
disallowAuth?: boolean;
maxBytes?: number;
}
): HttpUrlValidationResult;
Defined in: shared/utils/urlSafety.ts:199
Validates and normalizes a URL intended to be used as an HTTP(S) endpoint.
Parametersโ
rawUrlโ
unknown
options?โ
disallowAuth?โ
boolean
When true, reject https://user:pass@host style credentials.
Default Value
true;
maxBytes?โ
number
Maximum UTF-8 byte budget accepted for the URL string.
Returnsโ
Remarksโ
Unlike validateExternalOpenUrlCandidate, this helper rejects all
non-HTTP(S) schemes (including mailto:) and is tuned for places where the
app expects to fetch or monitor a web endpoint.
This is primarily used at IPC trust boundaries to ensure consistent enforcement of:
- Trimming and empty-string handling
- UTF-8 byte budgets (defense-in-depth against oversized payloads)
- Newline/control-character rejection (CRLF injection protection)
- Validator.js URL semantics via isValidUrl