From 9a659b7efee27ec0ce8eefe55137958199b71c8f Mon Sep 17 00:00:00 2001
From: Michael Contreras <michael@atomicfi.com>
Date: Thu, 5 Feb 2026 15:52:45 -0800
Subject: [PATCH] fix(event|open-url): allow https only

---
 index.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/index.js b/index.js
index 5cab9e1..ce376b1 100644
--- a/index.js
+++ b/index.js
@@ -149,7 +149,10 @@ function _handleIFrameEvent({
         if (onOpenUrl && typeof onOpenUrl === 'function') {
           onOpenUrl({url: payload.url})
         } else {
-          window.open(payload.url, '_blank')
+          const url = new URL(payload.url)
+
+          if ('https:' === url.protocol)
+            window.open(payload.url, '_blank')
         }
         break
       default: