Thanks for investing in this alignment! Having a URL that goes one place in Chrome and somewhere different in Safari/Firefox seems like a very bad thing in principle to me :-)
Your metrics and comments are around user-typed/pasted URLs. Does this change somehow impact only that, not URLs parsed from HTML and CSS? If so then I can understand why there's no WPTs for this. But if not then we'd definitely need confidence in the WPT tests and probably some more compat analysis. On Wed, Nov 30, 2022 at 8:35 AM 'Yifan Luo' via blink-dev < blink-dev@chromium.org> wrote: > > > On Wednesday, November 30, 2022 at 6:37:57 AM UTC+1 yoav...@chromium.org > wrote: > >> Thanks for working on alignment here!! >> >> On Tue, Nov 29, 2022 at 7:30 AM 'Harald Alvestrand' via blink-dev < >> blin...@chromium.org> wrote: >> >>> This IDNA 2008 author applauds your decision. >>> >>> >>> On Mon, Nov 28, 2022 at 10:16 PM Mustafa Emre Acer <mea...@chromium.org> >>> wrote: >>> >>>> Contact emailsmea...@chromium.org >>>> >>>> Specificationhttps://unicode.org/reports/tr46 >>>> >>>> Summary >>>> >>>> Enable IDNA 2008 in Non-Transitional Mode for URL processing, aligning >>>> Chrome's behavior with Firefox and Safari. Chrome currently uses IDNA 2008 >>>> in Transitional Mode in URL processing. The main difference between >>>> Transitional and Non-Transitional Mode is the handling of four characters >>>> known as deviation characters: ß (LATIN SMALL LETTER SHARP S), ς (GREEK >>>> SMALL LETTER FINAL SIGMA), ZWJ (Zero width joiner) and ZWNJ (Zero width >>>> non-joiner). In Transitional mode, deviation characters are handled the >>>> same as IDNA2003: ß is mapped to ss, ς is mapped to σ, and ZWJ and ZWNJ are >>>> deleted. In Non-Transitional mode, domains containing these characters are >>>> allowed in domain names without mapping, and thus can resolve to different >>>> IP addresses. For example, typing "faß.de <http://fass.de>" in Chrome >>>> and Firefox opens different sites today. Enabling Non-Transitional IDNA in >>>> Chrome will allow deviation characters in domain names. Firefox and Safari >>>> already made this change in 2016 and continue to use Non-Transitional URL >>>> processing. >>>> >>>> >>>> Blink componentUI>Security>UrlFormatting >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:UI%3ESecurity%3EUrlFormatting> >>>> >>>> Search tagsidna <https://chromestatus.com/features#tags:idna> >>>> >>>> TAG reviewThis feature addresses conformance to an existing spec and >>>> other browsers already do it. >>>> >>>> TAG review statusNot applicable >>>> >>>> Risks >>>> >>>> >>>> Interoperability and Compatibility >>>> >>>> >>>> >>>> *Gecko*: Shipped/Shipping ( >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1218179) >>>> >>>> *WebKit*: Shipped/Shipping ( >>>> https://trac.webkit.org/changeset/208902/webkit) >>>> >>>> *Web developers*: No signals >>>> >>>> *Other signals*: >>>> >>>> Security >>>> >>>> This change introduces a potential security issue where a domain >>>> pointing to one IP may start pointing to another IP. As an example, >>>> IDNA2003 and Transitional IDNA-2008 maps faß.de <http://fass.de> to >>>> fass.de (ß is a deviation character). Non-Transitional IDNA2008 maps >>>> it to xn--fa-hia.de which is the punycode representation of faß.de >>>> <http://fass.de>. Typing "faß.de <http://fass.de>" in Chrome and >>>> Firefox currently opens different sites. Main mitigations discussed were >>>> domain bundling / blocking where registrars bundle domain names (e.g. >>>> registering faß.de <http://fass.de> along with fass.de) or block the >>>> alternative domain name (e.g. disallow faß.de <http://fass.de> if >>>> fass.de is registered). According to data from Chrome 106 and 107: - >>>> Less than 0.001% of user-typed or pasted main frame navigations had a >>>> deviation character in the hostname. This excludes link clicks and renderer >>>> initiated navigations, so the percentage of affected domains among all >>>> navigations is even lower. - Only one hostname had a deviation character >>>> and had more than 50 impressions over a 28 day period (fußball.de >>>> <http://fussball.de>). Both fußball.de <http://fussball.de> and >>>> fussball.de have the same owner so this change doesn't affect them. >>>> Thus, typing domain names with deviation characters is very rare. Domain >>>> bundling / blocking aren't blockers as this change won't have a significant >>>> impact on navigations. Finally, Firefox and Safari have been using >>>> Non-Transitional IDNA 2008 since 2016 without issues. >>>> >>>> >>>> WebView application risks >>>> >>>> Does this intent deprecate or change behavior of existing APIs, such >>>> that it has potentially high risk for Android WebView-based applications? >>>> >>>> >>>> >>>> Debuggability >>>> >>>> >>>> >>>> Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, Chrome OS, Android, and Android WebView)?Yes >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ?No >>>> >>> >> Why not? >> > There seems to be some tests written by apple > https://github.com/web-platform-tests/wpt/pull/4794. However, same > question here: Why not? > >> >> >>> >>>> >>>> DevTrial instructions >>>> https://bugs.chromium.org/p/chromium/issues/detail?id=694157#c70 >>>> >>>> Flag nameuse-idna2008-non-transitional >>>> >>>> Requires code in //chrome?False >>>> >>>> Tracking bug >>>> https://bugs.chromium.org/p/chromium/issues/detail?id=694157 >>>> >>>> Launch bughttps://launch.corp.google.com/launch/4224656 >>>> >>>> Estimated milestones >>>> DevTrial on desktop 110 >>>> DevTrial on Android 110 >>>> >>>> Anticipated spec changes >>>> >>>> Open questions about a feature may be a source of future web compat or >>>> interop issues. Please list open issues (e.g. links to known github issues >>>> in the project for the feature specification) whose resolution may >>>> introduce web compat/interop risk (e.g., changing to naming or structure of >>>> the API in a non-backward-compatible way). >>>> >>>> >>>> Link to entry on the Chrome Platform Status >>>> https://chromestatus.com/feature/5105856067141632 >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://chromestatus.com/>. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+...@chromium.org. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHafXh3rh2Hh35Pv1wNg8vBzUMy13NY%2Bh1y8HmHQrH2aD1i_Lg%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHafXh3rh2Hh35Pv1wNg8vBzUMy13NY%2Bh1y8HmHQrH2aD1i_Lg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+...@chromium.org. >>> >> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOqqYVFsCyiMPA4eVWZy-a%2Bv6XCgcYkCDzhq7XVSP4O_rQFFyA%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOqqYVFsCyiMPA4eVWZy-a%2Bv6XCgcYkCDzhq7XVSP4O_rQFFyA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e83440db-ff48-46c5-8ca3-25a444cc063an%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e83440db-ff48-46c5-8ca3-25a444cc063an%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY8_-3_YWsRzmCk4mLQgTU6eaUHQ09%3Dku4dD4_gbks1VNQ%40mail.gmail.com.
