On Wednesday, November 30, 2022 at 6:37:57 AM UTC+1 yoav...@chromium.org wrote:
> Thanks for working on alignment here!! > > On Tue, Nov 29, 2022 at 7:30 AM 'Harald Alvestrand' via blink-dev < > blin...@chromium.org> wrote: > >> This IDNA 2008 author applauds your decision. >> >> >> On Mon, Nov 28, 2022 at 10:16 PM Mustafa Emre Acer <mea...@chromium.org> >> wrote: >> >>> Contact emailsmea...@chromium.org >>> >>> Specificationhttps://unicode.org/reports/tr46 >>> >>> Summary >>> >>> Enable IDNA 2008 in Non-Transitional Mode for URL processing, aligning >>> Chrome's behavior with Firefox and Safari. Chrome currently uses IDNA 2008 >>> in Transitional Mode in URL processing. The main difference between >>> Transitional and Non-Transitional Mode is the handling of four characters >>> known as deviation characters: ß (LATIN SMALL LETTER SHARP S), ς (GREEK >>> SMALL LETTER FINAL SIGMA), ZWJ (Zero width joiner) and ZWNJ (Zero width >>> non-joiner). In Transitional mode, deviation characters are handled the >>> same as IDNA2003: ß is mapped to ss, ς is mapped to σ, and ZWJ and ZWNJ are >>> deleted. In Non-Transitional mode, domains containing these characters are >>> allowed in domain names without mapping, and thus can resolve to different >>> IP addresses. For example, typing "faß.de <http://fass.de>" in Chrome >>> and Firefox opens different sites today. Enabling Non-Transitional IDNA in >>> Chrome will allow deviation characters in domain names. Firefox and Safari >>> already made this change in 2016 and continue to use Non-Transitional URL >>> processing. >>> >>> >>> Blink componentUI>Security>UrlFormatting >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:UI%3ESecurity%3EUrlFormatting> >>> >>> Search tagsidna <https://chromestatus.com/features#tags:idna> >>> >>> TAG reviewThis feature addresses conformance to an existing spec and >>> other browsers already do it. >>> >>> TAG review statusNot applicable >>> >>> Risks >>> >>> >>> Interoperability and Compatibility >>> >>> >>> >>> *Gecko*: Shipped/Shipping ( >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1218179) >>> >>> *WebKit*: Shipped/Shipping ( >>> https://trac.webkit.org/changeset/208902/webkit) >>> >>> *Web developers*: No signals >>> >>> *Other signals*: >>> >>> Security >>> >>> This change introduces a potential security issue where a domain >>> pointing to one IP may start pointing to another IP. As an example, >>> IDNA2003 and Transitional IDNA-2008 maps faß.de <http://fass.de> to >>> fass.de (ß is a deviation character). Non-Transitional IDNA2008 maps it >>> to xn--fa-hia.de which is the punycode representation of faß.de >>> <http://fass.de>. Typing "faß.de <http://fass.de>" in Chrome and >>> Firefox currently opens different sites. Main mitigations discussed were >>> domain bundling / blocking where registrars bundle domain names (e.g. >>> registering faß.de <http://fass.de> along with fass.de) or block the >>> alternative domain name (e.g. disallow faß.de <http://fass.de> if >>> fass.de is registered). According to data from Chrome 106 and 107: - >>> Less than 0.001% of user-typed or pasted main frame navigations had a >>> deviation character in the hostname. This excludes link clicks and renderer >>> initiated navigations, so the percentage of affected domains among all >>> navigations is even lower. - Only one hostname had a deviation character >>> and had more than 50 impressions over a 28 day period (fußball.de >>> <http://fussball.de>). Both fußball.de <http://fussball.de> and >>> fussball.de have the same owner so this change doesn't affect them. >>> Thus, typing domain names with deviation characters is very rare. Domain >>> bundling / blocking aren't blockers as this change won't have a significant >>> impact on navigations. Finally, Firefox and Safari have been using >>> Non-Transitional IDNA 2008 since 2016 without issues. >>> >>> >>> WebView application risks >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> >>> >>> >>> Debuggability >>> >>> >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, Chrome OS, Android, and Android WebView)?Yes >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ?No >>> >> > Why not? > There seems to be some tests written by apple https://github.com/web-platform-tests/wpt/pull/4794. However, same question here: Why not? > > >> >>> >>> DevTrial instructions >>> https://bugs.chromium.org/p/chromium/issues/detail?id=694157#c70 >>> >>> Flag nameuse-idna2008-non-transitional >>> >>> Requires code in //chrome?False >>> >>> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=694157 >>> >>> Launch bughttps://launch.corp.google.com/launch/4224656 >>> >>> Estimated milestones >>> DevTrial on desktop 110 >>> DevTrial on Android 110 >>> >>> Anticipated spec changes >>> >>> Open questions about a feature may be a source of future web compat or >>> interop issues. Please list open issues (e.g. links to known github issues >>> in the project for the feature specification) whose resolution may >>> introduce web compat/interop risk (e.g., changing to naming or structure of >>> the API in a non-backward-compatible way). >>> >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/5105856067141632 >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com/>. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+...@chromium.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHafXh3rh2Hh35Pv1wNg8vBzUMy13NY%2Bh1y8HmHQrH2aD1i_Lg%40mail.gmail.com >>> >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHafXh3rh2Hh35Pv1wNg8vBzUMy13NY%2Bh1y8HmHQrH2aD1i_Lg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+...@chromium.org. >> > To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOqqYVFsCyiMPA4eVWZy-a%2Bv6XCgcYkCDzhq7XVSP4O_rQFFyA%40mail.gmail.com >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOqqYVFsCyiMPA4eVWZy-a%2Bv6XCgcYkCDzhq7XVSP4O_rQFFyA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e83440db-ff48-46c5-8ca3-25a444cc063an%40chromium.org.
