Intent to Deprecate and Remove: Remove auto-detection of ISO-2022-JP charset in HTML
Chromestatus
Contact emails
jkok...@google.comExplainer
NoneSpecification
NoneSummary
There are known[1] security issues around charset auto-detection for ISO-2022-JP. Given that the usage is very low, and Safari does not support auto-detection of ISO-2022-JP, we will remove support for it to eliminate the security issues. [1]: https://www.sonarsource.com/blog/encoding-differentials-why-charset-matters/
Blink component
Blink>TextEncodingMotivation
There are known[1] security issues around charset auto-detection for ISO-2022-JP. The use counter[2] shows that the auto-detection of ISO-2022-JP charset only happens around 0.000002% of page load. Given that usage is very low, and Safari does not support auto-detection of ISO-2022-JP, we will remove support for it to eliminate the security issues. [1]: https://www.sonarsource.com/blog/encoding-differentials-why-charset-matters/ [2]: https://chromestatus.com/metrics/feature/timeline/popularity/5244
Initial public proposal
NoneTAG review
NoneTAG review status
Not applicableRisks
Interoperability and Compatibility
None
Gecko: Positive (https://github.com/mozilla/standards-positions/issues/1199)
WebKit: Shipped/Shipping
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Debuggability
None
Is this feature fully tested by web-platform-tests?
NoFlag name on about://flags
NoneFinch feature name
NoneNon-finch justification
NoneRequires code in //chrome?
FalseTracking bug
https://issues.chromium.org/issues/40089450Estimated milestones
No milestones specified
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/6576566521561088?gate=6587467307941888
Mike Taylor
LGTM1 to just remove this outright.
I looked at the 8 sites listed on chromestatus, and of those only 2 seem to be affected in a meaningful way. Would you mind trying to do outreach to those 2 sites and let them know how they can fix this ahead of the change?
https://bbb.asahi-net.or.jp/ - mentions using Netscape Navigator. So possibly a relic from the past. But maybe worth trying to send an email to https://asahi-net.jp/, in case someone still uses this service?
https://shugo.net/ - a personal site that will be broken, but there appear to be some email addresses on the homepage.
(the rest below aren't affected meaningfully)
http://www.chem.aoyama.ac.jp/ - the initial landing page is garbled before the page is redirected (after 3 seconds) to http://www.chem.aoyama.ac.jp/Chem/index.html. That page is fine.
https://dentalx.sakura.ne.jp/ is blank.
https://flex.phys.tohoku.ac.jp/ - this page works in Safari today.
https://kima3.net - effectively a blank site.
https://wi-lab.com/ - has a meta refresh to "/wi-lab/index.html", and it looks fine in Safari (but a lot of text is in images...).
https://www.medipal-app.com/ - has a meta refersh to "/App/", and
it looks fine in Safari.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/67f40d24.170a0220.25676e.144b.GAE%40google.com.
Daniel Bratell
LGTM2
I second Mike's suggestion to give a heads-up to the two sites we know are affected.
/Daniel
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/743ef69c-6d01-44c4-9dc4-79fd65a158d4%40chromium.org.
TAMURA, Kent
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/91de0bec-32e2-485b-9be3-79426063b1a1%40gmail.com.
Software Engineer, Google
Jun Kokatsu
I've sent emails to 2 sites which were affected.