uri-reference allows insecure protocols