Sorry I sent the wrong document It should be https://docs.google.com/document/d/1edoInUnxwJAGN0264yFRvs6Yi5ptb37HvFYkBNnz2YQ/edit?usp=sharing
On Sat, Mar 11, 2023 at 12:39 AM Mike Taylor <[email protected]> wrote: > Thanks for the doc - if "WPT URL failure triage" is what you intended to > send, could you point out which section contains the security concerns? (Or > maybe just linked the wrong doc on accident?) > On 3/10/23 6:31 AM, Jiacheng Guo wrote: > > Sorry for the late reply, > > I've created a doc > <https://docs.google.com/document/d/1ip9B2v5KiX6HUolSODdyEhpWD0Jx1ib_uRbJXOGTqRw/edit?usp=sharing&resourcekey=0-CGabf2J9BGhC1LfbdT6_8w> > on the security concerns for non-special URLs. The general idea is to > support non-special URLs and add a blocklist where the URLs can only have > opaque hosts. > > I added the security team to ask for their comments as well. > > Jiacheng Guo > > > > On Thu, Mar 9, 2023 at 1:38 AM Mike Taylor <[email protected]> wrote: > >> Hi Jiacheng, >> >> Friendly ping on Harald's and my questions. :) >> >> thanks, >> Mike >> On 2/23/23 2:40 AM, Harald Alvestrand wrote: >> >> Is there a blacklist of "special schemes" that this change won't touch? >> Who maintains that list? >> >> This seems a bit dangerous, in that if a new scheme is deployed that is >> "special", code intended for handling non-special schemes will try to parse >> it. >> >> Note that the term "special" in the URL specification ( >> https://url.spec.whatwg.org/#special-scheme) refers strictly to ftp, >> file, http, https, ws and wss; there's nothing "special" about urn, turn, >> stun or any of the other standardized schemes that don't use the // syntax. >> >> >> >> >> On Wed, Feb 22, 2023 at 5:08 PM Yoav Weiss <[email protected]> >> wrote: >> >>> >>> >>> On Wed, Feb 22, 2023 at 4:43 PM Mike Taylor <[email protected]> >>> wrote: >>> >>>> >>>> On 2/22/23 8:21 AM, 'Jiacheng Guo' via blink-dev wrote: >>>> >>>> Contact emails [email protected] >>>> >>>> Explainer None >>>> >>>> >>> An explainer (even inline) would be helpful to get a better >>> understanding of what this change does. >>> Does it impact only URL() object construction? What is happening today? >>> What will happen after this change lands? >>> >>>> >>>> >>>> Specification https://url.spec.whatwg.org/#url-parsing >>>> >>>> Summary >>>> >>>> URLs with non-special schemes will be supported in chrome. >>>> `non-speicial://test.com:1234/path` <http://test.com:1234/path> will >>>> be become a valid URL. One can access and set the URL properties such as >>>> host, port and path via the URL class. >>>> >>>> >>>> Blink component Blink>JavaScript>API >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EJavaScript%3EAPI> >>>> >>>> TAG review >>>> >>>> TAG review status Not applicable >>>> >>>> Risks >>>> >>>> >>>> Interoperability and Compatibility >>>> >>>> *Gecko*: Positive >>>> >>>> *WebKit*: Positive >>>> >>>> Any links to those positive signals? >>> >>> >>>> >>>> *Web developers*: No signals >>>> >>>> *Other signals*: >>>> >>>> Ergonomics >>>> >>>> No significant risks. >>>> >>>> >>>> Activation >>>> >>>> No significant risks. >>>> >>>> >>>> Security >>>> >>>> data:// and javascript:// URLs handling is not modified due to their >>>> critical role. >>>> >>>> >>>> WebView application risks >>>> >>>> Does this intent deprecate or change behavior of existing APIs, such >>>> that it has potentially high risk for Android WebView-based applications? >>>> >>>> Do URLs with an intent:// scheme have any security considerations, or >>>> implications for WebView? (I don't know, hopefully someone who does can >>>> answer. :)) >>>> >>>> >>>> >>>> Debuggability >>>> >>>> Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, Chrome OS, Android, and Android WebView)? Yes >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ? Yes >>>> >>>> Flag name NonSpeicalSchemeURLParsing >>>> >>>> Requires code in //chrome? False >>>> >>>> Tracking bug https://crbug.com/1416006 >>>> >>>> Sample links >>>> https://chromium-review.googlesource.com/c/chromium/src/+/4273893 >>>> >>>> Estimated milestones >>>> >>>> No milestones specified >>>> >>>> >>>> Anticipated spec changes >>>> >>>> Open questions about a feature may be a source of future web compat or >>>> interop issues. Please list open issues (e.g. links to known github issues >>>> in the project for the feature specification) whose resolution may >>>> introduce web compat/interop risk (e.g., changing to naming or structure of >>>> the API in a non-backward-compatible way). >>>> >>>> >>>> Link to entry on the Chrome Platform Status >>>> https://chromestatus.com/feature/5201116810182656 >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://chromestatus.com/>. >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJQw1Nzk847XL759vMSQaF3L5zvtykg6UfQvuss4diyU-h1%3Duw%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJQw1Nzk847XL759vMSQaF3L5zvtykg6UfQvuss4diyU-h1%3Duw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7cdf2693-c8a3-d263-0eb0-a44a2390979e%40chromium.org >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7cdf2693-c8a3-d263-0eb0-a44a2390979e%40chromium.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVfGhV%2BDRzpCjGFoHg7EXb325nHz3nu4OSQVTTC6bkS1A%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVfGhV%2BDRzpCjGFoHg7EXb325nHz3nu4OSQVTTC6bkS1A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJQw1NwdWUn7OOrEgGjGeZV%3DHa_niTT0Jg_yv7j7uN2uRL7fcA%40mail.gmail.com.
