Hi Jiacheng, Thanks again for all this interop work!
I don't think I understood the process that led to special treatment for data:, javascript:, intent:, urn:, turn:, and stun:. It seems like the intent is to not follow the standard precisely for those schemes, right? I guess that might be reasonable as a stepping stone, but I want to make sure we're tracking our failure to follow the standard there, and hopefully eventually fixing it. I've filed https://github.com/web-platform-tests/wpt/issues/38970 to discuss adding more test coverage. To help us with that, can you provide an example of how the blocklist your document discusses will work? That is, the document says > Add a blocklist for non-special schemes. The schemes in the block list must have an opaque host. Since there's no such list in the URL Standard itself, I'm assuming this means those schemes will have nonstandard behavior. But I don't understand what nonstandard behavior is implied by "must have an opaque host". Can you give an example of, e.g., a stun: URL, which will parse differently in the URL Standard vs. Blink's implementation, due to this blocklist? On Mon, Mar 13, 2023 at 8:48 PM 'Jiacheng Guo' via blink-dev < [email protected]> wrote: > Sorry I sent the wrong document > > It should be > https://docs.google.com/document/d/1edoInUnxwJAGN0264yFRvs6Yi5ptb37HvFYkBNnz2YQ/edit?usp=sharing > > On Sat, Mar 11, 2023 at 12:39 AM Mike Taylor <[email protected]> > wrote: > >> Thanks for the doc - if "WPT URL failure triage" is what you intended to >> send, could you point out which section contains the security concerns? (Or >> maybe just linked the wrong doc on accident?) >> On 3/10/23 6:31 AM, Jiacheng Guo wrote: >> >> Sorry for the late reply, >> >> I've created a doc >> <https://docs.google.com/document/d/1ip9B2v5KiX6HUolSODdyEhpWD0Jx1ib_uRbJXOGTqRw/edit?usp=sharing&resourcekey=0-CGabf2J9BGhC1LfbdT6_8w> >> on the security concerns for non-special URLs. The general idea is to >> support non-special URLs and add a blocklist where the URLs can only have >> opaque hosts. >> >> I added the security team to ask for their comments as well. >> >> Jiacheng Guo >> >> >> >> On Thu, Mar 9, 2023 at 1:38 AM Mike Taylor <[email protected]> >> wrote: >> >>> Hi Jiacheng, >>> >>> Friendly ping on Harald's and my questions. :) >>> >>> thanks, >>> Mike >>> On 2/23/23 2:40 AM, Harald Alvestrand wrote: >>> >>> Is there a blacklist of "special schemes" that this change won't touch? >>> Who maintains that list? >>> >>> This seems a bit dangerous, in that if a new scheme is deployed that is >>> "special", code intended for handling non-special schemes will try to parse >>> it. >>> >>> Note that the term "special" in the URL specification ( >>> https://url.spec.whatwg.org/#special-scheme) refers strictly to ftp, >>> file, http, https, ws and wss; there's nothing "special" about urn, turn, >>> stun or any of the other standardized schemes that don't use the // syntax. >>> >>> >>> >>> >>> On Wed, Feb 22, 2023 at 5:08 PM Yoav Weiss <[email protected]> >>> wrote: >>> >>>> >>>> >>>> On Wed, Feb 22, 2023 at 4:43 PM Mike Taylor <[email protected]> >>>> wrote: >>>> >>>>> >>>>> On 2/22/23 8:21 AM, 'Jiacheng Guo' via blink-dev wrote: >>>>> >>>>> Contact emails [email protected] >>>>> >>>>> Explainer None >>>>> >>>>> >>>> An explainer (even inline) would be helpful to get a better >>>> understanding of what this change does. >>>> Does it impact only URL() object construction? What is happening today? >>>> What will happen after this change lands? >>>> >>>>> >>>>> >>>>> Specification https://url.spec.whatwg.org/#url-parsing >>>>> >>>>> Summary >>>>> >>>>> URLs with non-special schemes will be supported in chrome. >>>>> `non-speicial://test.com:1234/path` <http://test.com:1234/path> will >>>>> be become a valid URL. One can access and set the URL properties such as >>>>> host, port and path via the URL class. >>>>> >>>>> >>>>> Blink component Blink>JavaScript>API >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EJavaScript%3EAPI> >>>>> >>>>> TAG review >>>>> >>>>> TAG review status Not applicable >>>>> >>>>> Risks >>>>> >>>>> >>>>> Interoperability and Compatibility >>>>> >>>>> *Gecko*: Positive >>>>> >>>>> *WebKit*: Positive >>>>> >>>>> Any links to those positive signals? >>>> >>>> >>>>> >>>>> *Web developers*: No signals >>>>> >>>>> *Other signals*: >>>>> >>>>> Ergonomics >>>>> >>>>> No significant risks. >>>>> >>>>> >>>>> Activation >>>>> >>>>> No significant risks. >>>>> >>>>> >>>>> Security >>>>> >>>>> data:// and javascript:// URLs handling is not modified due to their >>>>> critical role. >>>>> >>>>> >>>>> WebView application risks >>>>> >>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>> that it has potentially high risk for Android WebView-based applications? >>>>> >>>>> Do URLs with an intent:// scheme have any security considerations, or >>>>> implications for WebView? (I don't know, hopefully someone who does can >>>>> answer. :)) >>>>> >>>>> >>>>> >>>>> Debuggability >>>>> >>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>> Mac, Linux, Chrome OS, Android, and Android WebView)? Yes >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>> ? Yes >>>>> >>>>> Flag name NonSpeicalSchemeURLParsing >>>>> >>>>> Requires code in //chrome? False >>>>> >>>>> Tracking bug https://crbug.com/1416006 >>>>> >>>>> Sample links >>>>> https://chromium-review.googlesource.com/c/chromium/src/+/4273893 >>>>> >>>>> Estimated milestones >>>>> >>>>> No milestones specified >>>>> >>>>> >>>>> Anticipated spec changes >>>>> >>>>> Open questions about a feature may be a source of future web compat or >>>>> interop issues. Please list open issues (e.g. links to known github issues >>>>> in the project for the feature specification) whose resolution may >>>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>>> of >>>>> the API in a non-backward-compatible way). >>>>> >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> https://chromestatus.com/feature/5201116810182656 >>>>> >>>>> This intent message was generated by Chrome Platform Status >>>>> <https://chromestatus.com/>. >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJQw1Nzk847XL759vMSQaF3L5zvtykg6UfQvuss4diyU-h1%3Duw%40mail.gmail.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJQw1Nzk847XL759vMSQaF3L5zvtykg6UfQvuss4diyU-h1%3Duw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7cdf2693-c8a3-d263-0eb0-a44a2390979e%40chromium.org >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7cdf2693-c8a3-d263-0eb0-a44a2390979e%40chromium.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVfGhV%2BDRzpCjGFoHg7EXb325nHz3nu4OSQVTTC6bkS1A%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVfGhV%2BDRzpCjGFoHg7EXb325nHz3nu4OSQVTTC6bkS1A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJQw1NwdWUn7OOrEgGjGeZV%3DHa_niTT0Jg_yv7j7uN2uRL7fcA%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJQw1NwdWUn7OOrEgGjGeZV%3DHa_niTT0Jg_yv7j7uN2uRL7fcA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra8JBOiW%2BYq%2B8Sbhw8OnYxeuPHjcMAnVK4NgcKb4RSGqxg%40mail.gmail.com.
