Support non-special scheme URLs.
Previously, Chromium's URL parser didn't handle non-special scheme URLs properly. It treated these URLs as “opaque paths”, which didn’t align with the URL Standard.
Now, Chromium’s URL parser correctly processes non-special URLs.
Examples:
Before:
> const url = new URL("git://host/path");
> url.host
""
> url.pathname
"//host/path"
> url.host = "newhost";
> url.host
""
> const url = new URL("git://a b/path");
> url.pathname
"//a b/path"
After:
> const url = new URL("git://host/path");
> url.host
"host"
> url.pathname
"/path"
> url.host = "newhost";
> url.host
"newhost"
> url.href
"git://newhost/path"
> const url = new URL("git://a b/path");
=> throws Exception. // A space character is not allowed as a hostname.
See http://bit.ly/url-non-special for more details.
As part of our Interop 2024 efforts, this change delivers the following improvements:
Boosts WPT URL Score: 936 previously failing subtests in the WPT URL tests (link) now pass, raising the score from 87.0% to 94.7%.
Fixes code relying on incorrect URL behavior: 527 tests (link) and related code in Chromium that depended on the previous behavior are now fixed or mitigated, including:
Web tests that relied on non-compliant non-special URL behavior (e.g. “javascript://a b” URL)
Non-special schemes used internally by Chromium code base, including ChromeOS (e.g. “steam:”, “materialized-view://”, “cros-apps://”)
Not applicable
Since Safari and Firefox already support non-special scheme URLs, the likelihood of public websites breaking due to this change is likely low. See here for a rough estimation of the non-special scheme URL usages.
Gecko: Shipped
WebKit: Shipped
Web developers: Generally seems positive.
Some signals (from interop 2024 discussions) are:
> Confusion because URL parsers across Blink, Gecko, WebKit, Node, and Deno do not interop well. The root cause is nearly always parser bugs in Blink or Gecko: https://twitter.com/oleg008/status/1699087223751073883
> URL is very widely used - custom schemes are commonly used for links to native apps, or when dealing with developer tooling like databases. They may also become exceedingly more common with import maps.
Other potential risks and assessments:
Enterprise usage: It's difficult to predict how non-special URLs are used in the wild, especially by enterprise customers with in-house apps. While adding an Enterprise Policy was considered to mitigate risks, technical limitations make it difficult to support URLs. See http://bit.ly/url-non-special for more info. We'll disable the feature with Finch (StandardCompliantNonSpecialSchemeURLParsing flag) in case this causes serious issues.
Impacts on well-known non-special schemes: See here for the impacts on “javascript://”, “data:”, and so on.
Impacts on dependent components: This change affects components relying on URL behavior, like Origin. See the Security section below.
In Chromium, GURL, KURL, and web-facing URL APIs share the common URL parser backends, which reside in //url. As a result, this web-facing change will also affect core components like url::Origin, kurl::SecurityOrigin.
For detailed information on how url::Origin, kurl::SecurityOrigin, and web-facing url.origin are impacted, please refer to this CL’s description.
TL;DR. This is a complex issue due to historical reasons. While most components remain unaffected, there are some nuances, particularly regarding the “Android WebView Hack”. We’ve preserved the current Origin behavior for Android WebView.
Beyond the aforementioned "Android WebView Hack", there are no other changes specific to WebView.
Yes.
Yes (dashboard)
StandardCompliantNonSpecialSchemeURLParsing
False
M130
https://chromestatus.com/feature/5201116810182656
Links to previous Intent discussions
Previous I2S. The previous I2S mail was sent last year but please consider this intent to ship as a new one.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFpjS_1_R%3D%2BHXYgTCuLD_WGR0foLKVnxAU9am1QbHyAZ%3D%2B3Ohw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAARdPYdo4SEr05zmLKj4U4OD3f8Gx0taa-7B%3D-5n1K69b6_mgw%40mail.gmail.com.
--
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFpjS_1%3D48YmdprXVdy_3SWRqneFFcy6BRuaw_w%2BxvrjyAc2CA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra9m1qFkKLjKPu3B-fQMtvf0acXo3YGhZTWGeQcAgh-MVg%40mail.gmail.com.
I'm very excited to see this work proceeding and am looking forward to being able to LGTM. A few requests before we get there:
- From what I understand we still won't be spec-compliant for android:, drivefs:, steam:, chromeos-steam:, and materialized-view:. Can you add failing web platform tests for all of those cases, to ensure that we capture this non-compliance?
- I don't understand the role of the scheme registry after we ship this change. What will it do? The doc says "(TBD) Remove the Scheme Registry. This can be yet another non-trivial project. This document does not cover this task." Are there still web-exposed behaviors between non-registered and registered schemes? Is there a danger that people will add more schemes to the registry and cause URL parsing to change? Or is this purely about code cleanup as after this change the scheme registry is a no-op?
- In general it would be great to have a section of the doc covering future work, such as fixing those exceptional schemes, removing the scheme registry, and anything else that you have in mind. In particular I'm interested in which of these future work projects have compat impacts so we can know how web developers might see URL parsing change in the future.