don-vip
commented
7 years ago The idea was to fix quickly the issue as it was a severe security issue. We made this change in JOSM one month ago as we do not use this feature. I agree for the long term, this issue should be fixed in a different manner.
Allow only data scheme to avoid Server-Side Request Forgery, see http://www.openwall.com/lists/oss-security/2017/01/29/2 and https://josm.openstreetmap.de/changeset/11526/josm/