Intent to Implement & Ship: percent-encode the delete character when parsing URLs
133 views
Skip to first unread message
Frédéric Wang
Jul 29, 2020, 11:17:50 AM7/29/20
to blink-dev
Contact emails
fw...@igalia.com
Explainer
Spec
https://url.spec.whatwg.org/#concept-basic-url-parser
TAG review
Not needed, existing specification.
Summary
When parsing URLs, encode the character U+7F DELETE as "%7F".
This improves readability, reduces spoofing risk, makes Chrome's
behavior more consistent, interoperable with other browsers and
compliant with the specification.
Link to “Intent to Prototype” blink-dev discussion
None
Risks
Interoperability and Compatibility
* Interoperability: This will make it compatible with Gecko and WebKit ;
as well as with the specification.
* Compatibility: This will change the string of the parsed URL. However,
that string will still redirect to the same page. Risk seems low since
other browsers support that and websites have to work with them. Plus
this does not sound a common character for URLs.
Gecko: Positive
Shipped
WebKit: Positive
Shipped
Web developers: Positive (https://github.com/whatwg/html/issues/3377)
There is an existing bug report about how percent-encoding is done for
registerProtocolHandler, which is affected by the special case of U+5F.
Ergonomics
This will change how URLs are rendered in the location bar and
statusline (using %5F instead of any potential DEL glyph)
Security
This might help to reduce spoofing risks.
Will this feature be supported on all six Blink platforms (Windows, Mac,
Linux,
Chrome OS, Android, and Android WebView)?
Yes
Is this feature fully tested by web-platform-tests?
Yes
There are already URL parsing tests in WPT's url/ ; new cases are added
for U+5F in
https://chromium-review.googlesource.com/c/chromium/src/+/2324425
Tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=809852
Demo links
data:text/html,%3Ca
href%3D"https%3A%2F%2Fexample.org%2F%26%23x7F%3B"%3Especial URL
path%3C%2Fa%3E %3Ca
href%3D"javascript%3Aalert('%26%23x7F%3B')"%3Enon-special URL
path%3C%2Fa%3E %3Ca
href%3D"https%3A%2F%2Fexample.org%2F%23%26%23x7F%3B"%3EURL
fragment%3C%2Fa%3E
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5651438652882944
This intent message was generated by Chrome Platform Status.
--
Frédéric Wang
fw...@igalia.com
Explainer
Spec
https://url.spec.whatwg.org/#concept-basic-url-parser
TAG review
Not needed, existing specification.
Summary
When parsing URLs, encode the character U+7F DELETE as "%7F".
This improves readability, reduces spoofing risk, makes Chrome's
behavior more consistent, interoperable with other browsers and
compliant with the specification.
Link to “Intent to Prototype” blink-dev discussion
None
Risks
Interoperability and Compatibility
* Interoperability: This will make it compatible with Gecko and WebKit ;
as well as with the specification.
* Compatibility: This will change the string of the parsed URL. However,
that string will still redirect to the same page. Risk seems low since
other browsers support that and websites have to work with them. Plus
this does not sound a common character for URLs.
Gecko: Positive
Shipped
WebKit: Positive
Shipped
Web developers: Positive (https://github.com/whatwg/html/issues/3377)
There is an existing bug report about how percent-encoding is done for
registerProtocolHandler, which is affected by the special case of U+5F.
Ergonomics
This will change how URLs are rendered in the location bar and
statusline (using %5F instead of any potential DEL glyph)
Security
This might help to reduce spoofing risks.
Will this feature be supported on all six Blink platforms (Windows, Mac,
Linux,
Chrome OS, Android, and Android WebView)?
Yes
Is this feature fully tested by web-platform-tests?
Yes
There are already URL parsing tests in WPT's url/ ; new cases are added
for U+5F in
https://chromium-review.googlesource.com/c/chromium/src/+/2324425
Tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=809852
Demo links
data:text/html,%3Ca
href%3D"https%3A%2F%2Fexample.org%2F%26%23x7F%3B"%3Especial URL
path%3C%2Fa%3E %3Ca
href%3D"javascript%3Aalert('%26%23x7F%3B')"%3Enon-special URL
path%3C%2Fa%3E %3Ca
href%3D"https%3A%2F%2Fexample.org%2F%23%26%23x7F%3B"%3EURL
fragment%3C%2Fa%3E
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5651438652882944
This intent message was generated by Chrome Platform Status.
--
Frédéric Wang
Frédéric Wang
Jul 29, 2020, 11:58:14 AM7/29/20
to blin...@chromium.org
On 29/07/2020 17:17, Frédéric Wang wrote:
> Demo links
> data:text/html,%3Ca
> href%3D"https%3A%2F%2Fexample.org%2F%26%23x7F%3B"%3Especial URL
> path%3C%2Fa%3E %3Ca
> href%3D"javascript%3Aalert('%26%23x7F%3B')"%3Enon-special URL
> path%3C%2Fa%3E %3Ca
> href%3D"https%3A%2F%2Fexample.org%2F%23%26%23x7F%3B"%3EURL
> fragment%3C%2Fa%3E
>
> Link to entry on the Chrome Platform Status
> https://chromestatus.com/feature/5651438652882944
Sorry for the broken link, the chrome status entry has more detailed
> Demo links
> data:text/html,%3Ca
> href%3D"https%3A%2F%2Fexample.org%2F%26%23x7F%3B"%3Especial URL
> path%3C%2Fa%3E %3Ca
> href%3D"javascript%3Aalert('%26%23x7F%3B')"%3Enon-special URL
> path%3C%2Fa%3E %3Ca
> href%3D"https%3A%2F%2Fexample.org%2F%23%26%23x7F%3B"%3EURL
> fragment%3C%2Fa%3E
>
> Link to entry on the Chrome Platform Status
> https://chromestatus.com/feature/5651438652882944
examples:
* <a href="https://example.org/#">URL fragment</a>
* <a href="https://example.org/">special URL path</a>
* <a href="javascript:alert('')">non-special URL path</a>
If you hover one link or follow it, the statusline and url bar should
use %7F. Chrome does it for the first one but not for the others.
Another example with JavaScript: (new URL('web+foo:\u007F').href should
output "web+foo:%7F"
Also, U+5F in my initial email is a mistake, it should be U+7F everywhere.
--
Frédéric Wang
Domenic Denicola
Jul 29, 2020, 12:14:52 PM7/29/20
to Frédéric Wang, blink-dev
Non-owner LGTM. I'm very excited to see some progress toward improving our URL parser interop and spec conformance. (See https://bugs.chromium.org/p/chromium/issues/detail?id=660384 for the meta-bug.) This particular corner helps rationalize registerProtocolHandler(), which we've been working with Mozilla on recently in https://github.com/whatwg/html/pull/5524.
Personally I think this errs more on the side of a bugfix, and probably doesn't require an Intent, but it's always good to err on the side of caution.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/757864b6-b4cd-188b-e28c-a6b82e30fe7d%40igalia.com.
Personally I think this errs more on the side of a bugfix, and probably doesn't require an Intent, but it's always good to err on the side of caution.
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/757864b6-b4cd-188b-e28c-a6b82e30fe7d%40igalia.com.
Yoav Weiss
Jul 29, 2020, 1:02:41 PM7/29/20
to Domenic Denicola, Frédéric Wang, blink-dev
LGTM1
Seems low risk and likely to increase compatibility.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/MN2PR13MB361350FF46DD3D1167D71275DF700%40MN2PR13MB3613.namprd13.prod.outlook.com.
Mike West
Jul 30, 2020, 2:30:07 PM7/30/20
to blink-dev, yo...@yoav.ws, fw...@igalia.com, blink-dev, d...@domenic.me
LGTM2. I'm happy to see us catching up on interop here. Thanks!
-mike
Chris Harrelson
Jul 30, 2020, 2:47:23 PM7/30/20
to Mike West, blink-dev, yo...@yoav.ws, fw...@igalia.com, d...@domenic.me
LGTM3
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/156040de-c161-4e7c-b22f-6ab3f53269f0n%40chromium.org.
Reply all
Reply to author
Forward
0 new messages