Enable IDNA 2008 in Non-Transitional Mode for URL processing, aligning Chrome's behavior with Firefox and Safari. Chrome currently uses IDNA 2008 in Transitional Mode in URL processing. The main difference between Transitional and Non-Transitional Mode is the handling of four characters known as deviation characters: ß (LATIN SMALL LETTER SHARP S), ς (GREEK SMALL LETTER FINAL SIGMA), ZWJ (Zero width joiner) and ZWNJ (Zero width non-joiner). In Transitional mode, deviation characters are handled the same as IDNA2003: ß is mapped to ss, ς is mapped to σ, and ZWJ and ZWNJ are deleted. In Non-Transitional mode, domains containing these characters are allowed in domain names without mapping, and thus can resolve to different IP addresses. For example, typing "faß.de" in Chrome and Firefox opens different sites today. Enabling Non-Transitional IDNA in Chrome will allow deviation characters in domain names. Firefox and Safari already made this change in 2016 and continue to use Non-Transitional URL processing.
This change introduces a potential security issue where a domain pointing to one IP may start pointing to another IP. As an example, IDNA2003 and Transitional IDNA-2008 maps faß.de to fass.de (ß is a deviation character). Non-Transitional IDNA2008 maps it to xn--fa-hia.de which is the punycode representation of faß.de. Typing "faß.de" in Chrome and Firefox currently opens different sites. Main mitigations discussed were domain bundling / blocking where registrars bundle domain names (e.g. registering faß.de along with fass.de) or block the alternative domain name (e.g. disallow faß.de if fass.de is registered). According to data from Chrome 106 and 107: - Less than 0.001% of user-typed or pasted main frame navigations had a deviation character in the hostname. This excludes link clicks and renderer initiated navigations, so the percentage of affected domains among all navigations is even lower. - Only one hostname had a deviation character and had more than 50 impressions over a 28 day period (fußball.de). Both fußball.de and fussball.de have the same owner so this change doesn't affect them. Thus, typing domain names with deviation characters is very rare. Domain bundling / blocking aren't blockers as this change won't have a significant impact on navigations. Finally, Firefox and Safari have been using Non-Transitional IDNA 2008 since 2016 without issues.
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
DevTrial on desktop | 110 |
DevTrial on Android | 110 |
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHafXh3rh2Hh35Pv1wNg8vBzUMy13NY%2Bh1y8HmHQrH2aD1i_Lg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOqqYVFsCyiMPA4eVWZy-a%2Bv6XCgcYkCDzhq7XVSP4O_rQFFyA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e83440db-ff48-46c5-8ca3-25a444cc063an%40chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY8_-3_YWsRzmCk4mLQgTU6eaUHQ09%3Dku4dD4_gbks1VNQ%40mail.gmail.com.
You received this message because you are subscribed to a topic in the Google Groups "blink-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/blink-dev/8pxRArGQlS4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAARdPYfmsGWwqFiRr2OKiVh2aq2AC7yoagUHJrPrdiVv8vJ7-Q%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY-497X3Q8aPzZUAtpD%3D31v5ruXGUH%2BX-rEJCkijdVxD0A%40mail.gmail.com.