Sorry for the late reply, I've created a doc <https://docs.google.com/document/d/1ip9B2v5KiX6HUolSODdyEhpWD0Jx1ib_uRbJXOGTqRw/edit?usp=sharing&resourcekey=0-CGabf2J9BGhC1LfbdT6_8w> on the security concerns for non-special URLs. The general idea is to support non-special URLs and add a blocklist where the URLs can only have opaque hosts.
I added the security team to ask for their comments as well. Jiacheng Guo On Thu, Mar 9, 2023 at 1:38 AM Mike Taylor <[email protected]> wrote: > Hi Jiacheng, > > Friendly ping on Harald's and my questions. :) > > thanks, > Mike > On 2/23/23 2:40 AM, Harald Alvestrand wrote: > > Is there a blacklist of "special schemes" that this change won't touch? > Who maintains that list? > > This seems a bit dangerous, in that if a new scheme is deployed that is > "special", code intended for handling non-special schemes will try to parse > it. > > Note that the term "special" in the URL specification ( > https://url.spec.whatwg.org/#special-scheme) refers strictly to ftp, > file, http, https, ws and wss; there's nothing "special" about urn, turn, > stun or any of the other standardized schemes that don't use the // syntax. > > > > > On Wed, Feb 22, 2023 at 5:08 PM Yoav Weiss <[email protected]> wrote: > >> >> >> On Wed, Feb 22, 2023 at 4:43 PM Mike Taylor <[email protected]> >> wrote: >> >>> >>> On 2/22/23 8:21 AM, 'Jiacheng Guo' via blink-dev wrote: >>> >>> Contact emails [email protected] >>> >>> Explainer None >>> >>> >> An explainer (even inline) would be helpful to get a better understanding >> of what this change does. >> Does it impact only URL() object construction? What is happening today? >> What will happen after this change lands? >> >>> >>> >>> Specification https://url.spec.whatwg.org/#url-parsing >>> >>> Summary >>> >>> URLs with non-special schemes will be supported in chrome. >>> `non-speicial://test.com:1234/path` <http://test.com:1234/path> will be >>> become a valid URL. One can access and set the URL properties such as host, >>> port and path via the URL class. >>> >>> >>> Blink component Blink>JavaScript>API >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EJavaScript%3EAPI> >>> >>> TAG review >>> >>> TAG review status Not applicable >>> >>> Risks >>> >>> >>> Interoperability and Compatibility >>> >>> *Gecko*: Positive >>> >>> *WebKit*: Positive >>> >>> Any links to those positive signals? >> >> >>> >>> *Web developers*: No signals >>> >>> *Other signals*: >>> >>> Ergonomics >>> >>> No significant risks. >>> >>> >>> Activation >>> >>> No significant risks. >>> >>> >>> Security >>> >>> data:// and javascript:// URLs handling is not modified due to their >>> critical role. >>> >>> >>> WebView application risks >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> >>> Do URLs with an intent:// scheme have any security considerations, or >>> implications for WebView? (I don't know, hopefully someone who does can >>> answer. :)) >>> >>> >>> >>> Debuggability >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, Chrome OS, Android, and Android WebView)? Yes >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ? Yes >>> >>> Flag name NonSpeicalSchemeURLParsing >>> >>> Requires code in //chrome? False >>> >>> Tracking bug https://crbug.com/1416006 >>> >>> Sample links >>> https://chromium-review.googlesource.com/c/chromium/src/+/4273893 >>> >>> Estimated milestones >>> >>> No milestones specified >>> >>> >>> Anticipated spec changes >>> >>> Open questions about a feature may be a source of future web compat or >>> interop issues. Please list open issues (e.g. links to known github issues >>> in the project for the feature specification) whose resolution may >>> introduce web compat/interop risk (e.g., changing to naming or structure of >>> the API in a non-backward-compatible way). >>> >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/5201116810182656 >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com/>. >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJQw1Nzk847XL759vMSQaF3L5zvtykg6UfQvuss4diyU-h1%3Duw%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJQw1Nzk847XL759vMSQaF3L5zvtykg6UfQvuss4diyU-h1%3Duw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7cdf2693-c8a3-d263-0eb0-a44a2390979e%40chromium.org >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7cdf2693-c8a3-d263-0eb0-a44a2390979e%40chromium.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVfGhV%2BDRzpCjGFoHg7EXb325nHz3nu4OSQVTTC6bkS1A%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVfGhV%2BDRzpCjGFoHg7EXb325nHz3nu4OSQVTTC6bkS1A%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJQw1NxiMqDX%2BqsDP%3D1HVhV9hxEZmF5eJN6FPUEHKVmcvF6Hqg%40mail.gmail.com.
