Contact emails hay...@chromium.org
Explainer http://bit.ly/url-non-special Specification https://url.spec.whatwg.org/ <https://url.spec.whatwg.org/#url-parsing> Summary Support non-special scheme URLs. Previously, Chromium's URL parser didn't handle non-special scheme URLs properly. It treated these URLs as “opaque paths”, which didn’t align with the URL Standard. Now, Chromium’s URL parser correctly processes non-special URLs. Examples: Before: > const url = new URL("git://host/path"); > url.host "" > url.pathname "//host/path" > url.host = "newhost"; > url.host "" > const url = new URL("git://a b/path"); > url.pathname "//a b/path" After: > const url = new URL("git://host/path"); > url.host "host" > url.pathname "/path" > url.host = "newhost"; > url.host "newhost" > url.href "git://newhost/path" > const url = new URL("git://a b/path"); => throws Exception. // A space character is not allowed as a hostname. See http://bit.ly/url-non-special for more details. As part of our Interop 2024 efforts, this change delivers the following improvements: - Boosts WPT URL Score: 936 previously failing subtests in the WPT URL tests (link <https://docs.google.com/document/d/1LjxHl32fE4tCKugrK_PIso7mfXQVEeoD1wSnX2y0ZU8/edit?resourcekey=0-d1gP4X2sG7GPl9mlTeptIA&tab=t.0#heading=h.ji1rj1k19sgh>) now pass, raising the score from 87.0% to 94.7%. - Fixes code relying on incorrect URL behavior: 527 tests (link <https://docs.google.com/spreadsheets/d/1Pqw1iKXK_lxHj-kLIAeRFs-khFz-BPZDio1W7SgEVE4/edit?usp=sharing>) and related code in Chromium that depended on the previous behavior are now fixed or mitigated, including: - Web tests that relied on non-compliant non-special URL behavior (e.g. “javascript://a b” URL) - Non-special schemes used internally by Chromium code base, including ChromeOS (e.g. “steam:”, “materialized-view://”, “cros-apps://”) Blink component Internals>Network <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork> TAG review Not applicable Risks Interoperability and Compatibility Since Safari and Firefox already support non-special scheme URLs, the likelihood of public websites breaking due to this change is likely low. See here <https://docs.google.com/document/d/1LjxHl32fE4tCKugrK_PIso7mfXQVEeoD1wSnX2y0ZU8/edit?resourcekey=0-d1gP4X2sG7GPl9mlTeptIA&tab=t.0> for a rough estimation of the non-special scheme URL usages. Gecko: Shipped WebKit: Shipped Web developers: Generally seems positive. Some signals (from interop 2024 discussions <https://github.com/web-platform-tests/interop/issues/424>) are: - > Confusion because URL parsers across Blink, Gecko, WebKit, Node, and Deno do not interop well. The root cause is nearly always parser bugs in Blink or Gecko: https://twitter.com/oleg008/status/1699087223751073883 - > URL is very widely used - custom schemes are commonly used for links to native apps, or when dealing with developer tooling like databases. They may also become exceedingly more common with import maps. Other potential risks and assessments: - Enterprise usage: It's difficult to predict how non-special URLs are used in the wild, especially by enterprise customers with in-house apps. While adding an Enterprise Policy was considered to mitigate risks, technical limitations make it difficult to support URLs. See http://bit.ly/url-non-special for more info. We'll disable the feature with Finch (StandardCompliantNonSpecialSchemeURLParsing flag) in case this causes serious issues. - Impacts on well-known non-special schemes: See here <https://docs.google.com/document/d/1LjxHl32fE4tCKugrK_PIso7mfXQVEeoD1wSnX2y0ZU8/edit?resourcekey=0-d1gP4X2sG7GPl9mlTeptIA&tab=t.0#heading=h.k3rirdjyomw6> for the impacts on “javascript://”, “data:”, and so on. - Impacts on dependent components: This change affects components relying on URL behavior, like Origin <https://url.spec.whatwg.org/#origin>. See the Security section below. Security In Chromium, GURL, KURL, and web-facing URL APIs share the common URL parser backends, which reside in //url. As a result, this web-facing change will also affect core components like url::Origin, kurl::SecurityOrigin. For detailed information on how url::Origin, kurl::SecurityOrigin, and web-facing url.origin are impacted, please refer to this CL’s description <https://chromium-review.googlesource.com/c/chromium/src/+/5309015>. TL;DR. This is a complex issue due to historical reasons. While most components remain unaffected, there are some nuances, particularly regarding the “Android WebView Hack”. We’ve preserved the current Origin behavior for Android WebView. WebView application risks Beyond the aforementioned "Android WebView Hack", there are no other changes specific to WebView. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? Yes. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? Yes (dashboard <https://wpt.fyi/results/url?label=master&label=experimental&product=chrome&product=firefox&product=safari&aligned&view=interop&q=label%3Ainterop-2023-url> ) Flag name StandardCompliantNonSpecialSchemeURLParsing Requires code in //chrome? False Tracking bug https://crbug.com/1416006 Estimated milestones M130 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5201116810182656 Links to previous Intent discussions Previous I2S <https://groups.google.com/a/chromium.org/g/blink-dev/c/wYuPrIQzDTA/m/uoL4bXR2BgAJ>. The previous I2S mail was sent last year but please consider this intent to ship as a new one. -- Hayato -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFpjS_1_R%3D%2BHXYgTCuLD_WGR0foLKVnxAU9am1QbHyAZ%3D%2B3Ohw%40mail.gmail.com.
