Intent to Implement & Ship: percent-encode the delete character when parsing URLs

92 views
Skip to first unread message

Frédéric Wang

unread,
Jul 29, 2020, 11:17:50 AM7/29/20
to blink-dev
Contact emails
fw...@igalia.com

Explainer

Spec
https://url.spec.whatwg.org/#concept-basic-url-parser

TAG review
Not needed, existing specification.

Summary
When parsing URLs, encode the character U+7F DELETE as "%7F".

This improves readability, reduces spoofing risk, makes Chrome's
behavior more consistent, interoperable with other browsers and
compliant with the specification.

Link to “Intent to Prototype” blink-dev discussion
None

Risks
Interoperability and Compatibility
* Interoperability: This will make it compatible with Gecko and WebKit ;
as well as with the specification.

* Compatibility: This will change the string of the parsed URL. However,
that string will still redirect to the same page. Risk seems low since
other browsers support that and websites have to work with them. Plus
this does not sound a common character for URLs.

Gecko: Positive

Shipped

WebKit: Positive

Shipped

Web developers: Positive (https://github.com/whatwg/html/issues/3377)
There is an existing bug report about how percent-encoding is done for
registerProtocolHandler, which is affected by the special case of U+5F.

Ergonomics
This will change how URLs are rendered in the location bar and
statusline (using %5F instead of any potential DEL glyph)

Security
This might help to reduce spoofing risks.

Will this feature be supported on all six Blink platforms (Windows, Mac,
Linux,
Chrome OS, Android, and Android WebView)?
Yes

Is this feature fully tested by web-platform-tests?
Yes
There are already URL parsing tests in WPT's url/ ; new cases are added
for U+5F in
https://chromium-review.googlesource.com/c/chromium/src/+/2324425

Tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=809852

Demo links
data:text/html,%3Ca
href%3D"https%3A%2F%2Fexample.org%2F%26%23x7F%3B"%3Especial URL
path%3C%2Fa%3E %3Ca
href%3D"javascript%3Aalert('%26%23x7F%3B')"%3Enon-special URL
path%3C%2Fa%3E %3Ca
href%3D"https%3A%2F%2Fexample.org%2F%23%26%23x7F%3B"%3EURL
fragment%3C%2Fa%3E

Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5651438652882944

This intent message was generated by Chrome Platform Status.

--

Frédéric Wang

Frédéric Wang

unread,
Jul 29, 2020, 11:58:14 AM7/29/20
to blin...@chromium.org
On 29/07/2020 17:17, Frédéric Wang wrote:
> Demo links
> data:text/html,%3Ca
> href%3D"https%3A%2F%2Fexample.org%2F%26%23x7F%3B"%3Especial URL
> path%3C%2Fa%3E %3Ca
> href%3D"javascript%3Aalert('%26%23x7F%3B')"%3Enon-special URL
> path%3C%2Fa%3E %3Ca
> href%3D"https%3A%2F%2Fexample.org%2F%23%26%23x7F%3B"%3EURL
> fragment%3C%2Fa%3E
>
> Link to entry on the Chrome Platform Status
> https://chromestatus.com/feature/5651438652882944

Sorry for the broken link, the chrome status entry has more detailed
examples:

* <a href="https://example.org/#&#x007F;">URL fragment</a>

* <a href="https://example.org/&#x007F;">special URL path</a>

* <a href="javascript:alert('&#x007F;')">non-special URL path</a>

If you hover one link or follow it, the statusline and url bar should
use %7F. Chrome does it for the first one but not for the others.

Another example with JavaScript: (new URL('web+foo:\u007F').href should
output "web+foo:%7F"

Also, U+5F in my initial email is a mistake, it should be U+7F everywhere.

--
Frédéric Wang

Domenic Denicola

unread,
Jul 29, 2020, 12:14:52 PM7/29/20
to Frédéric Wang, blink-dev
Non-owner LGTM. I'm very excited to see some progress toward improving our URL parser interop and spec conformance. (See https://bugs.chromium.org/p/chromium/issues/detail?id=660384 for the meta-bug.) This particular corner helps rationalize registerProtocolHandler(), which we've been working with Mozilla on recently in https://github.com/whatwg/html/pull/5524.

Personally I think this errs more on the side of a bugfix, and probably doesn't require an Intent, but it's always good to err on the side of caution.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/757864b6-b4cd-188b-e28c-a6b82e30fe7d%40igalia.com.

Yoav Weiss

unread,
Jul 29, 2020, 1:02:41 PM7/29/20
to Domenic Denicola, Frédéric Wang, blink-dev
LGTM1

Seems low risk and likely to increase compatibility.

Mike West

unread,
Jul 30, 2020, 2:30:07 PM7/30/20
to blink-dev, yo...@yoav.ws, fw...@igalia.com, blink-dev, d...@domenic.me
LGTM2. I'm happy to see us catching up on interop here. Thanks!

-mike

Chris Harrelson

unread,
Jul 30, 2020, 2:47:23 PM7/30/20
to Mike West, blink-dev, yo...@yoav.ws, fw...@igalia.com, d...@domenic.me
Reply all
Reply to author
Forward
0 new messages