Skip to content

Browser allowlist is immutable

What changed

pkg/browser previously exported the scheme allowlist as a mutable package variable:

var AllowedSchemes = []string{"https", "http", "mailto"}

This contradicted the documented "not configurable" guarantee β€” any caller could widen (or empty) the allowlist at runtime and bypass the scheme gate. The variable has been unexported (allowedSchemes) and replaced with a function that returns a defensive copy:

// AllowedSchemes returns the URI schemes that OpenURL permits.
// The returned slice is a fresh copy on every call.
func AllowedSchemes() []string

Migration

If you read the allowlist for display or logging, call the function and drop the slice literal access:

// Before
schemes := browser.AllowedSchemes

// After
schemes := browser.AllowedSchemes()

If you previously mutated browser.AllowedSchemes to add a scheme, that path is intentionally removed. Extending the allowlist now requires a first-party code change with security-review sign-off, as the package documentation has always stated.