- From: Mike West <notifications@github.com>
- Date: Tue, 23 May 2017 04:42:50 -0700
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/pull/284/c303372495@github.com>
> However in writing the above I realize I am confused. Is this a mitigation applied to Fetch, or to HTML? I think the PRs apply it to Fetch, right? That's correct. It seems simplest to make the behavior consistent at the Fetch layer. > ```javascript > new WebSocket(new URL(`wss://example.com/foo\nbar>baz`).href); > ``` This wouldn't fail, actually, because you're stringifying a parsed URL. That is, the result of `new URL(`...`)` would have set this flag, but the flag isn't represented in the stringification. So, the string passed into `new WebSocket()` contains neither `<` nor `\n`. `new WebSocket(`wss://example.com/foo\nbar>baz`);`, on the other hand, would be blocked. > Maybe the specification layering where HTML wraps specific invocations of the URL parser would be better after all... Writing it that way is fine, if cumbersome because of all the call sites. I don't intend to implement it that way in Blink, however. As noted above, URL parsing is expensive, and I don't think there's much appetite for doing more loops through the string. I understand that it's confusing to put a flag like this into URL if it's not used in URL, but if we put it somewhere else, I think we'd probably end up adding a note about how implementers should probably implement it as part of their URL parser. If you're happier with that as an outcome, I can type it up. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/pull/284#issuecomment-303372495
Received on Tuesday, 23 May 2017 11:43:24 UTC