Re: [whatwg/url] Web reality: Filenames should be newline-normalized in urlencoded (#562) from Andreu Botella on 2020-12-03 (public-webapps-github@w3.org from December 2020)

From: Andreu Botella <notifications@github.com>
Date: Thu, 03 Dec 2020 12:04:16 -0800
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/562/738276174@github.com>

To clarify a bit the reasoning for why this normalization must happen in the `urlencoded` serializer:

When constructing an entry list from a `<form>` element, the HTML spec requires (in ["append an entry"](https://html.spec.whatwg.org/#append-an-entry)) that the names and values (other than `File` values) be newline-normalized, but not filenames. This is directly web-observable by constructing a `FormData` object from the `<form>`, and only Chrome implements that normalization at this stage. (Tests: https://wpt.fyi/results/html/semantics/forms/form-submission-0/newline-normalization.html?label=pr_head&max-count=1&pr=26747)

When encoding an entry list as `multipart/form-data`, the spec doesn't mandate any further newline normalization (though there's the percent-encoding we're trying to incorporate in whatwg/html#3276). Note that not all entry lists that reach this step must be newline-normalized by the spec, since you can construct a `FormData` object from scratch. Gecko and WebKit do the newline normalization at this stage; wrongly for `FormData` objects. (Tests: https://wpt.fyi/results/FileAPI/file/send-file-form-controls.tentative.html?label=experimental&label=master&aligned for form submission, https://wpt.fyi/results/FileAPI/file/send-file-formdata-controls.tentative.html?label=experimental&label=master&aligned for `FormData`).

When encoding an entry list as `urlencoded` there shouldn't be any further newline normalization applied. But since filenames now become values, you might expect Gecko and WebKit to normalize newlines in filenames. What's strange is that Chrome is also doing it for some reason. (Tests: https://wpt.fyi/results/url/urlencoded-filenames.window.html?label=pr_head&max-count=1&pr=26740)

Since all browsers agree that newlines in filenames get normalized, this should be incorporated into the specs, and since in the Chrome/spec behavior filenames don't get normalized in `multipart/form-data`, the remaining place to do the normalization in spec-land is in the `urlencoded` serializer.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/562#issuecomment-738276174

Received on Thursday, 3 December 2020 20:04:29 UTC