Add schemes parameter to URLField for custom URL scheme validation

[Youngkwang Yang]

Django URLField and forms.URLField currently validate URLs using the URLValidator with a predefined set of schemes: http, https, ftp, and ftps. While this default behavior meets general-purpose requirements, it lacks flexibility for specific use cases where developers need to restrict or expand the allowed schemes.

Examples of such use cases:

• Applications that require only secure URLs (https).
• Systems needing to validate custom or non-standard schemes such as gopher or custom-scheme.

this ticket introduces a new schemes parameter to both URLField and forms.URLField. This parameter allows developers to define a custom list of acceptable schemes, enabling more granular URL validation while maintaining backward compatibility.

Proposed Changes:

• extend the URLField and forms.URLField classes to accept an optional schemes parameter.
• update the deconstruct method in URLField to include the schemes parameter for proper migration support.
• modify forms.URLField to pass the schemes parameter to the URLValidator.
• preserve existing behavior by defaulting to the current scheme list (http, https, ftp, ftps) when schemes is not provided.
• Add comprehensive test cases for both URLField and forms.URLField.

================================================

See examples

models.URLField

from django.db import models

class MyModel(models.Model):
    # Uses the default schemes (http, https, ftp, ftps)
    default_url = models.URLField()
    # Only allows HTTPS URLs
    secure_url = models.URLField(schemes=["https"])  
    # Allows a custom scheme
    custom_scheme_url = models.URLField(schemes=["custom-scheme"])  
    # Allows multiple specific schemes
    multiple_schemes_url = models.URLField(schemes=["https", "ftp", "custom-scheme"])

forms.URLField

from django import forms

class MyForm(forms.Form):
    # Default schemes
    default_url = forms.URLField()
    # Custom schemes
    secure_url = forms.URLField(schemes=["https"])
    custom_url = forms.URLField(schemes=["custom-scheme"])

Any feedback is appreciated!

[Sarah Boyce]

Hi Youngkwang Yang, thank you for this suggestion

You can add a validator to a field, so this should already be achievable with something like:

secure_url = models.URLField(validators=[validators.URLValidator(schemes=["https"])) 

In general, as you are requesting a new feature for Django, the recommended path forward is to first propose and discuss the idea with the community and gain consensus. To do that, please consider starting a new conversation on the ​Django Forum, where you'll reach a broader audience and receive additional feedback.

I'll close the ticket for now, but if the community agrees with the proposal, please return to this ticket and reference the forum discussion so we can re-open it. For more information, please refer to ​the documented guidelines for requesting features.

[Youngkwang Yang]

thank you for your response.

The method you suggested is effective for restricting existing URL schemes to https, but it makes extending schemes like custom-scheme, deeplink, or ​mailto:// challenging. This is because the validators passed as arguments are combined with the existing default_validators, causing URLValidator validation to run twice.

thank you for the guidance! I will start a discussion about this feature on the Django Forum.

[Tim Graham]

See #25594: "Difficult to customize model field default_validators and have them used on both model and form fields".