- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 21 Mar 2019 16:28:21 +0000 (UTC)
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 21 March 2019 16:28:47 UTC
annevk commented on this pull request. > - <li><p>Other parts of the <a for=/>URL</a> should have their sequences of - <a>percent-encoded bytes</a> replaced with code points resulting from - <a>percent decoding</a> those sequences converted to bytes, unless that renders those - sequences invisible. +<p>In a space-constrained display, URLs should be elided carefully to avoid misleading the user when +making a security decision: + +<ul> + <li><p>Ensure that at least the <a for=host>registrable domain</a> can be shown when the URL is + rendered (to avoid showing, e.g., <code>...examplecorp.com</code> when loading + <code>https://not-really-examplecorp.com/</code>). + + <li><p>When the full <a for=url>host</a> cannot be rendered, elide domain labels starting from the + front. For example, <code>examplecorp.com.evil.com</code> should be elided as https://tools.ietf.org/html/rfc1034#section-3.1 has some wording. The URL Standard hadn't really introduced any wording around labels as thus far it wasn't needed for anything normative. Perhaps it should. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/pull/434#discussion_r267845715
Received on Thursday, 21 March 2019 16:28:47 UTC