- From: cpacejo <notifications@github.com>
- Date: Wed, 17 Jan 2018 13:53:13 +0000 (UTC)
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 17 January 2018 13:53:42 UTC
Have you surveyed WAFs, proxies, etc., to determine that they also follow this broken behavior? Because in a security context, that's what matters. Documenting broken behavior doesn't make it correct or safe. It's good that you've discovered this discrepancy, but the correct thing to do from a "specification" standpoint is to disallow inconsistently-implemented, unnecessary corner cases. (And the correct thing to do as the representatives of said "(major) implementations" which the WHATWG is, is to fix the broken behavior of the unused corner cases.) Permitting incompatible behavior in what amounts to an unauthoritative spec (there are many many other users of URIs than those represented by the WHATWG) serves only to promulgate security issues and ecosystem fragmentation. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/367#issuecomment-358310674
Received on Wednesday, 17 January 2018 13:53:42 UTC