Forbidden host code points #214

annevk · 2017-01-23T15:33:30Z

In #185 (comment) @achristensen07 complained about the host code point restrictions I was adding for opaque hosts. I figured I'd explain the rules for code point restrictions in hosts in general once here and then we can either decide to agree or fiddle with the specifics.

Currently we have the following restrictions for non-opaque hosts. I listed the justification for each on the right:

U+0000 (generally problematic)
U+0009 (stripped when parsing URLs, would create reparsing issues)
U+000A (stripped when parsing URLs, would create reparsing issues)
U+000D (stripped when parsing URLs, would create reparsing issues)
U+0020 (creates copy-and-paste issues, see Consider always escaping U+0020 #125)
"#" (would create reparsing issues)
"%" (would create reparsing issues due to host percent-decoding)
"/" (would create reparsing issues)
":" (would create reparsing issues)
"?" (would create reparsing issues)
"@" (would create reparsing issues)
"[" (would create reparsing issues)
"" (would create reparsing issues)
"]" (would create reparsing issues)

Now for non-opaque hosts I took this list and removed the code points that were no longer problematic. And those are "%" (opaque hosts have no percent decoding), "[" (no IPv6), "" (no special backslash handling), and "]" (no IPv6).

The reason to be maximally liberal is given in #159 (comment).

@achristensen07 does this help or do you have the same concerns still? And if so, what would you do?

achristensen07 · 2017-01-24T07:59:04Z

This makes sense. I just didn't see a documented reason for the seemingly-arbitrary list, but now it makes sense.

annevk · 2017-01-24T08:01:29Z

Thank you, that should allow us to close a number of issues this week.

achristensen07 · 2017-01-24T08:03:31Z

For simplicity's sake, since this is so similar to the list of invalid domain characters, it might be nice to keep them the same. That would prevent issues if people switch schemes, etc.

annevk · 2017-01-24T08:08:15Z

Currently the specification disallows scheme switching for this reason (and also because non-special and special parse so differently), but making them the same seems reasonable nonetheless. I'll refactor the PR so that the list of code points is a reference rather than duplicated.

https://bugs.webkit.org/show_bug.cgi?id=167779 Reviewed by Chris Dumez. LayoutTests/imported/w3c: * web-platform-tests/url/a-element-expected.txt: * web-platform-tests/url/a-element-xhtml-expected.txt: * web-platform-tests/url/url-constructor-expected.txt: * web-platform-tests/url/url-setters-expected.txt: Source/WebCore: Covered by newly passing web platform tests. * platform/URLParser.cpp: (WebCore::isC0Control): (WebCore::isForbiddenHostCodePoint): (WebCore::URLParser::parseHostAndPort): In non-special URL hosts such as customprotocol://strange%host don't accept characters that are part of the URL grammar and would be forbidden in a special URL host, like https://not[allowed This was recently added to the spec in whatwg/url#214 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@211638 268f45cc-cd09-0410-ab3c-d52691b4dbfc

annevk added a commit that referenced this issue Jan 24, 2017

see #214 (and mention as fixed in the final commit message)

1f2728b

annevk closed this as completed in 3036255 Jan 24, 2017

annevk mentioned this issue Jan 30, 2017

Fix: allow percent encoded code points in the non-special URLs host #218

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Forbidden host code points #214

Forbidden host code points #214

annevk commented Jan 23, 2017

achristensen07 commented Jan 24, 2017

annevk commented Jan 24, 2017

achristensen07 commented Jan 24, 2017

annevk commented Jan 24, 2017

Forbidden host code points #214

Forbidden host code points #214

Comments

annevk commented Jan 23, 2017

achristensen07 commented Jan 24, 2017

annevk commented Jan 24, 2017

achristensen07 commented Jan 24, 2017

annevk commented Jan 24, 2017