✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Thanks for contributing to Streamlit! 🎈

Please make sure you have read our Contributing Guide. You can find additional information about Streamlit development in the wiki.

The review process:

1. Initial triage: A maintainer will apply labels, approve CI to run, and trigger AI-assisted reviews. Your PR may be flagged with status:needs-product-approval if the feature requires product team sign-off.

2. Code review: A core maintainer will start reviewing your PR once:

   • It is marked as 'ready for review', not 'draft'
   • It has status:product-approved (or doesn't need it)
   • All CI checks pass
   • All AI review comments are addressed

We're receiving many contributions and have limited review bandwidth — please expect some delay. We appreciate your patience! 🙏

Behavior and API sound good! Let me know once you fixed the most important issues above and I can give this a try.

should we add a visual indicator (e.g., external link icon) next to external links in the navigation menu? I can add this if
desired.

Yeah I think that would be cool! Can you try adding a small material icon on the right side of it, and post a screenshot of what it looks like? Then we can decide based on that.

@jrieke Thank you for the review!

I've addressed the feedback and added a visual indicator for external links:

• Added a small launch icon (:material/launch:) to the right side of external links
• Added tests for the icon rendering

Screenshot:

Ready for your review when you have a chance!

Hm okay I think the icon actually looks a bit weird, given that page icons are on the left side. I'd say we maybe we just leave this out and the dev can put an icon themselves on the left side if they want to show an indicator of this being an external page.

Did you already work on addressing the comments from Cursor above? If yes, happy to try it out locally.

Hm okay I think the icon actually looks a bit weird, given that page icons are on the left side. I'd say we maybe we just leave this out and the dev can put an icon themselves on the left side if they want to show an indicator of this being an external page.

Thanks for the feedback! The external link icon (launch icon) is placed on the right side, following the common UI pattern where left icons indicate content type and right icons indicate actions/behavior (similar to Material Design guidelines). Could you clarify what feels off — is it having two icons per row, or something else about the styling? Happy to adjust.

Did you already work on addressing the comments from Cursor above? If yes, happy to try it out locally.

Yes, both Cursor comments have been addressed

1. Popover now closes when clicking external links in the dropdown
2. External URLs are skipped when selecting an implicit default page

@jrieke
Thanks for the feedback on the external link icon! I understand the concern about it looking odd with page icons on the left.

How about aligning the nav items in a three-column layout?

This way:

• The left icon area always reserves space, so link text stays aligned even when no icon is set
• The launch icon sits on the right, following the common UI convention (left = content type, right = action/behavior)
• Items without a launch icon just have empty space on the right, keeping everything clean

I prototyped this with a small change — just fixed the width of StyledSidebarNavIcon and used margin-left: auto on the launch icon. All existing tests pass.

What do you think? Happy to push this if you'd like to see it in action.

Appreciate the effort but let's just remove the icon. I think altering the layout adds too much complexity for a small feature.

@jrieke Thanks for the feedback! I've removed the launch icon — external links now use the same layout as internal pages (icon + text only).

Both Cursor comments are also addressed:

1. Popover closes when clicking external links in the dropdown
2. External URLs are skipped when selecting an implicit default page

Ready for re-review when you have a chance.

Summary

This PR adds support for external web links (http/https URLs) in st.Page and st.navigation, allowing users to include external URLs alongside internal pages in the navigation menu. External links open in a new browser tab via target="_blank". The changes span the full stack: Python backend (page.py, navigation.py), protobuf (AppPage.proto), and frontend components (SidebarNavLink, SidebarNav, TopNav, TopNavSection).

Code Quality

The code is generally well-structured and follows existing patterns. A few observations:

1. Issue tracker references in production code/proto comments: Comments like // External URL support (Issue #9025) appear in SidebarNavLink.tsx (line 37), TopNav.tsx, TopNavSection.tsx, navigation.py (line 412), and AppPage.proto (line 37). Per project conventions, comments should describe what or why, not reference issue numbers. Issue linking belongs in commit messages and PR descriptions.

2. _sanitize_url_path in page.py (lines 31-45): This is a reasonable addition, properly prefixed with _ as a module-private function. However, the regex [&#?/\\:*\"<>|'] does not cover all URL-unsafe characters (e.g., %, +, =, @, ;). Consider using a more established URL-safe character allowlist approach (e.g., only keep [a-z0-9_]) for robustness.

3. _page type widening in page.py (line 301): The type of self._page was widened from Path | Callable[[], None] to Path | Callable[[], None] | None. While the code handles None correctly today (external pages return early from run()), this loosens the type contract. Consider using a separate sentinel or Union-discriminated approach to make this more explicit and type-safe.

4. TopNavSection.tsx (line 109): The {...item} spread on SidebarNavLink passes all IAppPage props to the component. While it works, it may inadvertently pass unknown props to the DOM. Since isExternal and externalUrl are now explicitly passed (lines 120-121), the spread is redundant for those fields.

Test Coverage

Python unit tests (page_test.py): Good coverage of StreamlitPage external URL behavior — 14 new tests covering creation, validation, sanitization, edge cases, and run() no-op behavior.

Frontend unit tests (SidebarNavLink.test.tsx): Good coverage of the SidebarNavLink component — 7 new tests covering target="_blank", rel, href resolution, click handling, and top-nav integration.

Significant gaps:

1. No tests for navigation.py changes: The logic in _navigation() that (a) skips external pages when selecting a default, and (b) raises an error when all pages are external (lines 343-354) has no corresponding tests in navigation_test.py. These are critical code paths.

2. No E2E tests: For a feature that fundamentally changes navigation behavior (links opening in new tabs, external URLs displayed in sidebar/top nav), E2E tests are important to verify full-stack behavior. Per the project's testing strategy and e2e_playwright/AGENTS.md, new elements or significant changes to existing ones should have E2E coverage.

3. No tests for st.switch_page / st.page_link interaction: See "Backwards Compatibility" section — these interactions are untested and potentially buggy.

4. No tests for SidebarNav, TopNav, or TopNavSection with external pages: Only SidebarNavLink has new tests. The click handlers in the parent components (which handle e.preventDefault() skipping for external links) are not tested.

Backwards Compatibility

Protobuf: Adding fields 8 (is_external) and 9 (external_url) to AppPage.proto is backward compatible. Old clients will ignore the new fields; old servers will send default values (false / "").

Critical interaction issues:

1. st.switch_page with external StreamlitPage (execution_control.py, line 276-277): If a user passes an external StreamlitPage to st.switch_page(page), the code uses page._script_hash and attempts an internal page navigation/rerun. It does not check page.is_external and does not raise a helpful error. The user would experience confusing behavior (the app reruns with no page content, or falls back to default).

2. st.page_link with external StreamlitPage (button.py, lines 1341-1349): When page_link receives a StreamlitPage, it sets page_script_hash and page (url_path) but does not set external = True. The external flag is only set when the page argument is a raw URL string (line 1360). This means st.page_link(external_page) would produce a broken internal link instead of an external one.

3. URL routing to external pages: External pages have a url_path (derived from title) and a _script_hash. If a user navigates to the external page's URL path in the browser (e.g., /docs), the _navigation function will select and return that external page. Calling .run() on it is a no-op, so the user sees entrypoint content but no page body — a confusing blank-page experience.

Security & Risk

• URL scheme validation: Uses the existing is_url() utility which checks for http/https schemes, preventing javascript: or other dangerous URI schemes. Good.
• target="_blank" with rel="noopener noreferrer": Correctly applied to prevent reverse tabnapping. Good.
• No URL content validation: The external URL is passed directly to the frontend href attribute. While scheme validation prevents script injection via javascript: URIs, there's no validation of the URL structure itself (e.g., extremely long URLs, URLs with encoded payloads). This is a low risk since browsers handle this, but worth noting.
• Regression risk: The URL routing issue (point 3 above) could cause regressions if external page url_paths collide with internal page url_paths.

Accessibility

1. Missing "opens in new tab" indicator: External links open via target="_blank" but provide no visual or accessible indication to the user. Per WCAG 2.1 SC 3.2.5 (Change on Request) and common accessibility best practices, links that open in a new window/tab should inform users. Consider:

   • Adding an external link icon (e.g., :material/open_in_new:) automatically or via aria attributes.
   • Adding aria-label text like "${pageName} (opens in new tab)" to the anchor element.
   • The PR description mentions this as an open question — it should be resolved before merge.

2. aria-current="page" on external links: If an external page's hash somehow matches the current page hash, it would receive aria-current="page", which is semantically incorrect since external links are never the "current" page in the app.

Recommendations

1. Handle st.switch_page and st.page_link for external pages: At minimum, st.switch_page should raise a StreamlitAPIException if passed an external page (e.g., "Cannot switch to an external URL page. Use st.page_link or the navigation menu instead."). st.page_link should detect page.is_external and set external = True / page = page.external_url on the proto.

2. Prevent URL routing to external pages: External pages should not be matchable via URL routing. Consider either (a) not including external pages in pagehash_to_pageinfo, or (b) handling the case in _navigation where page_to_return is external by falling back to the default page.

3. Add tests for _navigation() changes: Add tests to navigation_test.py for:

   • Mixed internal + external pages (default auto-selects first internal page).
   • All-external pages raises error.
   • Protobuf message correctly includes is_external and external_url fields.

4. Add E2E tests: Add at least one E2E test verifying that external links in sidebar/top navigation render correctly with target="_blank" and the correct href.

5. Add accessibility indicators: Add a visual and/or ARIA indicator that external links open in a new tab. At minimum, append "(opens in new tab)" to the aria-label.

6. Remove issue tracker references from code comments: Replace // External URL support (Issue #9025) with descriptive comments, or remove if the code is self-explanatory.

7. Consider excluding external pages from isActive comparison: In SidebarNav.tsx (line 283) and TopNav.tsx (line 93), external pages should never be marked active. Consider const isActive = !isExternal && page.pageScriptHash === currentPageScriptHash.

Verdict

CHANGES REQUESTED: The feature concept is solid, but there are critical interaction bugs with st.switch_page and st.page_link when receiving external StreamlitPage objects, a URL routing issue where navigating to an external page's path results in a blank page, missing tests for the navigation command changes, no E2E tests, and accessibility concerns around missing "opens in new tab" indicators. These issues need to be addressed before this PR is ready for merge.

This is an automated AI review by opus-4.6-thinking.

Consolidated Code Review

Summary

This PR adds first-class support for external web links (http/https URLs) in st.navigation, allowing users to include external URLs alongside internal pages in both sidebar and top navigation modes. External links open in a new browser tab (target="_blank" with rel="noopener noreferrer"). The change spans the full stack: protobuf definitions (AppPage oneof destination), Python backend (st.Page, st.navigation, st.switch_page, st.page_link), and React frontend (sidebar nav, top nav, styled components). It includes comprehensive Python unit tests, frontend tests, and E2E tests.

Both reviewers approved this PR. No critical or blocking issues were identified.

Code Quality

Reviewers agree: The implementation is clean, well-structured, and follows existing patterns consistently across the stack.

Key strengths noted by both:

• Good use of helper abstractions (isExternalPage, getExternalPageUrl, _set_page_destination) reused across components.
• Clean separation of external vs. internal paths in StreamlitPage.__init__ via early-return pattern.
• Correct use of the protobuf oneof pattern with SetInParent() for InternalDestination.
• Removal of {...item} spread in TopNavSection.tsx in favor of explicit props — safer and more maintainable.

Minor suggestions (non-blocking):

1. (Both reviewers) The class-level visibility attribute docstring in lib/streamlit/navigation/page.py (~line 234-239) still says hidden pages remain accessible via URL/st.switch_page, which is no longer true for external pages. Should be updated.
2. (opus-4.6-thinking) The self._page type annotation is only declared in the external branch (line 291). Declaring it once at class level or at the top of __init__ would be cleaner:

   self._page: Path | Callable[[], None] | None = None

Test Coverage

Reviewers agree: Coverage is thorough, well-structured, and appropriately layered.

• Python unit tests: ~22+ new tests covering URL detection, title validation, url_path sanitization, edge cases, external page rejection in st.switch_page, st.page_link with external pages, proto field serialization, and fallback behavior.
• Frontend unit tests: Comprehensive coverage across SidebarNavLink, SidebarNav, TopNav, TopNavSection, and utility functions — including anti-regression checks (e.g., onPageChange not called for external links).
• E2E tests: 3 tests covering sidebar attributes, sidebar internal navigation, and top nav attributes + navigation.

Minor gap (opus-4.6-thinking): No test for st.page_link with a hidden external StreamlitPage. The docs state hidden external pages "can only be opened via st.page_link" — a test verifying this would close the loop on documented behavior.

Backwards Compatibility

Reviewers agree: No breaking changes. All changes are purely additive.

• Protobuf adds new fields (8, 9) via oneof — old clients ignore unknown fields; unset destination correctly treated as internal.
• st.Page continues to accept the same parameter signature; external URLs are a new category of str inputs.
• Frontend props (isExternal, externalUrl) are optional with correct falsy defaults.

Security & Risk

Reviewers agree: Security posture is strong.

• External URL schemes restricted to http/https via is_url() — javascript:, vbscript:, and data: schemes explicitly tested as rejected.
• rel="noopener noreferrer" correctly applied to all external links.
• Direct URL access to external pages prevented server-side.
• st.switch_page rejects external pages with a clear error message.
• The backend never fetches external URLs — all navigation is client-side metadata only.

No security issues found.

External Test Recommendation

Reviewers disagree:

• gpt-5.3-codex-high: Yes (Medium confidence) — triggered categories: routing/URL behavior, cross-origin behavior.
• opus-4.6-thinking: No (High confidence) — tests are inherently local-only due to app script dependency.

Resolution: I agree with opus-4.6-thinking's assessment. The E2E tests verify DOM attributes and local navigation behavior using a specific app script structure. They never actually navigate to external URLs. The tests cannot run against an arbitrary externally hosted app, making @pytest.mark.external_test inapplicable. No external test markers needed.

Accessibility

Reviewers agree: Good accessibility practices throughout.

• Screen reader announcement via StyledVisuallyHidden with "(opens in new tab)" text — standard a11y pattern.
• aria-current="page" correctly suppressed for external links.
• Semantic <a> elements with proper href, target, and rel attributes.

Enhancement suggestion (opus-4.6-thinking): No visual indicator (icon) distinguishes external links for sighted users. A follow-up could add a small external-link icon (e.g., :material/open_in_new:) for visual parity with the screen reader text.

E2E External URLs

Reviewers disagree:

• gpt-5.3-codex-high: Recommends replacing third-party URLs (https://docs.streamlit.io, https://streamlit.io) with test-stable/local assets per E2E guidance.
• opus-4.6-thinking: Notes these URLs are only used as metadata strings in st.Page — never navigated to by test assertions (only attribute checks) — so they don't violate the "no external URLs" guideline.

Resolution: opus-4.6-thinking's analysis is correct. The URLs are string literals checked via attribute assertions, not HTTP requests. No network dependency is introduced. The current approach is acceptable, though using placeholder URLs (e.g., https://example.com) could further reduce any perception of external dependency.

Recommendations

1. Update stale docstring in lib/streamlit/navigation/page.py (~line 234-239) to reflect that hidden external pages are not URL-accessible or switchable via st.switch_page. (Both reviewers)
2. Consider declaring self._page type once at class level or top of __init__ for clarity. (Non-blocking)
3. Add a test for st.page_link with a hidden external page to verify the documented behavior. (Non-blocking)
4. Consider a visual external link indicator (e.g., an icon) in a follow-up to provide parity with the screen reader text for sighted users. (UX enhancement, non-blocking)
5. Minor E2E consolidation opportunity: The sidebar attributes and sidebar navigation tests could potentially be merged into a single scenario to reduce one browser load. (Non-blocking)

Verdict

APPROVED — Both reviewers approved. The feature is implemented coherently across backend/frontend/proto layers with comprehensive test coverage, proper security safeguards, good accessibility practices, and fully backward-compatible changes. All recommendations are minor, non-blocking enhancements suitable for follow-up work.

Consolidated review by opus-4.6-thinking. Individual reviews from 2/2 expected models received (gpt-5.3-codex-high, opus-4.6-thinking). No models failed to complete review.

@t0k0shi Just a heads up that I pushed some changes to this branch intentionally to fix up a few edge cases and add some additional tests.