diff --git a/cli/args/flags.rs b/cli/args/flags.rs
index 6919273532..7f67f67028 100644
--- a/cli/args/flags.rs
+++ b/cli/args/flags.rs
@@ -5084,12 +5084,12 @@ fn permission_args_parse(
   }
 
   if let Some(net_wl) = matches.remove_many::<String>("allow-net") {
-    let net_allowlist = flags_net::parse(net_wl.collect()).unwrap();
+    let net_allowlist = flags_net::parse(net_wl.collect())?;
     flags.permissions.allow_net = Some(net_allowlist);
   }
 
   if let Some(net_wl) = matches.remove_many::<String>("deny-net") {
-    let net_denylist = flags_net::parse(net_wl.collect()).unwrap();
+    let net_denylist = flags_net::parse(net_wl.collect())?;
     flags.permissions.deny_net = Some(net_denylist);
   }
 
@@ -10801,4 +10801,18 @@ mod tests {
       ["foo,", "bar"]
     );
   }
+
+  #[test]
+  fn net_flag_with_url() {
+    let r = flags_from_vec(svec![
+      "deno",
+      "run",
+      "--allow-net=https://example.com",
+      "script.ts"
+    ]);
+    assert_eq!(
+      r.unwrap_err().to_string(),
+      "error: invalid value 'https://example.com': URLs are not supported, only domains and ips"
+    );
+  }
 }
diff --git a/runtime/permissions/lib.rs b/runtime/permissions/lib.rs
index b5c870a077..c7ef864dbc 100644
--- a/runtime/permissions/lib.rs
+++ b/runtime/permissions/lib.rs
@@ -894,6 +894,10 @@ impl QueryDescriptor for NetDescriptor {
 // TODO(bartlomieju): rewrite to not use `AnyError` but a specific error implementations
 impl NetDescriptor {
   pub fn parse(hostname: &str) -> Result<Self, AnyError> {
+    if hostname.starts_with("http://") || hostname.starts_with("https://") {
+      return Err(uri_error(format!("invalid value '{hostname}': URLs are not supported, only domains and ips")));
+    }
+
     // If this is a IPv6 address enclosed in square brackets, parse it as such.
     if hostname.starts_with('[') {
       if let Some((ip, after)) = hostname.split_once(']') {