why can webfetch hit non https:// addresses? this is unsafe. i can follow up privately if required but i don’t want to give exploit details in a public thread