Re: Invalid Characters in URLs

On Thu, 26 Sept 2024 at 02:33, David Benjamin <davidben@chromium.org> wrote:

> If the folks are happy with that status quo, great. If folks are unhappy
> with that status quo, there's probably room for some work here, possibly
> starting by reaching out to WHATWG folks. Either way, I think that is the
> decision tree here.
>

Unhappy with the status quo, so yeah doing something would be good

>
> It follows then that *someone* should write down the de facto lenient
> flavor of URL parsing, so we can collectively avoid the security
> consequences.


Ideally that *someone* could submit as an RFC what the lenient handling of
violation of 3986 (not to obsolete 3986, but to augment it).

The problem with the status quo is that the WhatWG's standard is a living
document that continually is updated.   It is kind of an aspirational
guideline of what the browsers are currently striving to implement.  But
adherence to WhatWG standards is often somewhat variable (see David's post
above).  Thus rather than implementing that specification, you end up
having to do a survey of common browsers and making judgement calls about
which to support, and then keep a live lookout for any changes in those
implementations

It would be so much better if at regular periods, if the key differences
and/or extensions of RFC3986 could be summarized in an RFC, that would
essentially be the browser community communicating with the wider
server/proxy/app community what their current aspirations/expectations are.

cheers

-- 
Greg Wilkins <gregw@webtide.com> CTO http://webtide.com

Received on Wednesday, 25 September 2024 22:11:39 UTC