The writing and parsing rule of the URL host characters are updated to be compliant with the URL standard. The following characters characters will become forbidden in the hostnames as described in https://url.spec.whatwg.org/#forbidden-host-code-point: ' ' (space), '<', '>' and '|'. '[' and ']' are still allowed as a part of IPv6 addresses but will be forbidden in any other hostnames. The following characters will no longer be percent escaped in hostnames: '!', '"', '$', '&', ''' (the ' character itself), '(', ')', '*', ';', '=', '`', '{', '}' and '~'
The URL standard is a well established standard and the effort is a part of the URL interop 2023. We expect the risk to be minimal.
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
The forbidden characters will throw TypeErrors where developers can find in the console.
No milestones specified
No spec change
Contact emails
g...@google.com, gotlo...@gmail.com, blink-net...@google.comExplainer
As a part of the URL interop 2023, the forbidden character table of hostnames will be updated as described in the URL spec. The characters in hostnames will be no longer percent escaped since it's not required by the URL spec.
Specification
https://url.spec.whatwg.org/#host-writingSummary
The writing and parsing rule of the URL host characters are updated to be compliant with the URL standard. The following characters characters will become forbidden in the hostnames as described in https://url.spec.whatwg.org/#forbidden-host-code-point: ' ' (space), '<', '>' and '|'. '[' and ']' are still allowed as a part of IPv6 addresses but will be forbidden in any other hostnames. The following characters will no longer be percent escaped in hostnames: '!', '"', '$', '&', ''' (the ' character itself), '(', ')', '*', ';', '=', '`', '{', '}' and '~'
Blink component
Blink>NetworkTAG review
TAG review status
Not applicableRisks
Interoperability and Compatibility
The URL standard is a well established standard and the effort is a part of the URL interop 2023. We expect the risk to be minimal.
Gecko: Positive The forbidden characters are partially followed in firefox. '*' is considered as an invalid character in hostnames. The characters are not percent escaped in the hostnames.
WebKit: Shipped/Shipping Safari strictly follows the forbidden character list and never percent escape the characters in the hostnames.
Web developers: No signals
Other signals:WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
Debuggability
The forbidden characters will throw TypeErrors where developers can find in the console.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
YesIs this feature fully tested by web-platform-tests?
Yes
Flag name
Requires code in //chrome?
FalseTracking bug
https://crbug.com/1398117Sample links
https://chromium-review.googlesource.com/c/chromium/src/+/4199790Estimated milestones
No milestones specified
Anticipated spec changes
No spec change
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5074885224693760This intent message was generated by Chrome Platform Status.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJQw1NyTJOqj0O0HMPQQuYrBgtjjPN3fjH8st1XP15AtsV1fPA%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2aa38a46-b491-44bb-9f06-166c0505187en%40chromium.org.
Thanks for working on interop! :)
Can you please explain what would be the impact of this change and provide examples of cases that are currently working and would stop working after this change is landed?Web developers are asking questions on this thread, and it'd be good to have an explainer that answers such questions.
Do we have use counters for content that would start throwing once this change lands?
Can you provide a link to the tests?
To simplify and keep this moving, I've filed https://github.com/mozilla/standards-positions/issues/759 as an umbrella issue for anything URL in Interop 2023.My view is that we can't improve our risk assessment of this by much with metrics, because we can't distinguish between harmless and serious breakage.
Instead what we should do is take some comfort in the fact that the behavior is already shipping in Safari, try to ship it and revert at the first sign of trouble to evaluate.
On Mon, Mar 13, 2023 at 10:46 AM Philip Jägenstedt <foo...@chromium.org> wrote:To simplify and keep this moving, I've filed https://github.com/mozilla/standards-positions/issues/759 as an umbrella issue for anything URL in Interop 2023.My view is that we can't improve our risk assessment of this by much with metrics, because we can't distinguish between harmless and serious breakage.Metrics can give us an upper bound, as well as a pile of examples that one can then manually sample and assess breakage.Instead what we should do is take some comfort in the fact that the behavior is already shipping in Safari, try to ship it and revert at the first sign of trouble to evaluate.Those are not contradictory. E.g. we could add metrics (+UKM) and a flag, and then be alert for bug reports from Beta, as well as randomly examine sites that touch the relevant usecounters and see if they were broken.Would that work from your perspective?
Yes, ideally this change ships behind a flag.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJQw1NywiOk%2BFqtS4-nPDSjbp%3DBFfQ9wtENFVw7ue7EX8yim5g%40mail.gmail.com.
Yes, ideally this change ships behind a flag.
On 3/13/23 7:43 AM, 'Jiacheng Guo' via blink-dev wrote:
For Eli Grey's question:Yes, the behavior will change with the feature.I believe it's reasonable to add use. The isValidHost function behavior varies among different browsers. The change will make Chrome act as the URL standard.
I believe it's reasonable to add a use counter for the feature. Since the CL is created by an external developer, would you suggest creating a feature flag for it as well?
Philip, no - feature flag, in case we need to killswitch it.
Then we may follow this way:I will ask the contributor to implement the feature behind a feature flag and fix any test failures. The contributor may add a use counter. Otherwise I will add one.Then I can manually ship the feature behind the flag and monitor the UKM data.Does that make sense to you?
To simplify and keep this moving, I've filed https://github.com/mozilla/standards-positions/issues/759 as an umbrella issue for anything URL in Interop 2023.My view is that we can't improve our risk assessment of this by much with metrics, because we can't distinguish between harmless and serious breakage. Instead what we should do is take some comfort in the fact that the behavior is already shipping in Safari, try to ship it and revert at the first sign of trouble to evaluate. In other words, I'll happily LGTM this, but I'll send this round of feedback first, in case Yoav disagrees with that.Some additional replies inline:On Mon, Mar 13, 2023 at 5:30 AM Yoav Weiss <yoav...@chromium.org> wrote:Thanks for working on interop! :)Indeed, I'm very grateful and happy to see this work!Can you please explain what would be the impact of this change and provide examples of cases that are currently working and would stop working after this change is landed?Web developers are asking questions on this thread, and it'd be good to have an explainer that answers such questions.I've replied to Eli.More generally, since this is a change in the nitty gritty details, my concrete advice for web developers would be to test what Safari currently does and assume that's what Chrome is going to start doing. If one doesn't have access to Safari, then https://www.browserstack.com/screenshots can be used for one-off tests, as long as the test result appears on the page.The other difference to Safari that's easy to test for is when exceptions are thrown. `new URL('https://example|.com')` returns a URL escaped as "https://example%7C.com" in Chrome, but throws TypeError in Safari.
Do we have use counters for content that would start throwing once this change lands?I'll let Jiacheng answer, but if the answer is no, I'm skeptical that adding use counters will meaningfully help us judge the risk of this. Breaking it down:
- Many invalid URLs already throw exceptions, which may be caught. Knowing that new exceptions will be thrown in X% of page views will not help know how often those are caught and the web app still behaves correctly.
- Changes in serialization are akin to changing a return value. We can't instrument the downstream effects of that and determine if the difference led to a different outcome.
Can you provide a link to the tests?There's no way to link to exactly the subtests that will be affected, but "Parsing: <http://example example.com> against <http://other.com/>" in url-constructor.any.html is one of them.Best regards,Philip
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAARdPYdKrtMS10VJxvzKntoXMBOEaA1doTYqpQ1W4%2BX1q40-bg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfX7OX4nY-Xyb-JtTer3qUk8iLCorKNYNM%2BVFostCzYhKw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-txxAerRT7rpqU7Ac9mCu2t%2BK8OwVhP3rPwVF3VPVnvw%40mail.gmail.com.