[whatwg/url] Should we ignore IPv6 zone identifiers when parsing a URL? (Issue #742) from Valentin Gosu on 2023-01-19 (public-webapps-github@w3.org from January 2023)

From: Valentin Gosu <notifications@github.com>
Date: Thu, 19 Jan 2023 02:39:10 -0800
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/742@github.com>

The consensus of #392 was that browsers don't want to support  IPv6 zone identifiers.

One possible path forward would be ignoring the zone identifier when parsing the URL, but as [Anne points out](https://github.com/whatwg/url/issues/392#issuecomment-1396750341):
> If it should impact authority and we end up treating multiple distinct authorities as one, that would not be good. And while there are plenty of ways to make a URL appear like another one, I'm not sure we want to add to that problem.
> Also in other domains ignoring all input after a certain character has led to injection attacks. How would we avoid those here?

Right, I think the injection attack issue is worth exploring. In that case we probably also need to check that all of the characters in the zoneID are in the unreserved character set.


-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/742
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/url/issues/742@github.com>

Received on Thursday, 19 January 2023 10:39:22 UTC