Re: [whatwg/url] Should we ignore IPv6 zone identifiers when parsing a URL? (Issue #742) from Martin Thomson on 2023-01-20 (public-webapps-github@w3.org from January 2023)

From: Martin Thomson <notifications@github.com>
Date: Thu, 19 Jan 2023 19:05:42 -0800
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/742/1397870175@github.com>

(I also don't know why Mark was cc'd.)

I was originally of the view that perhaps it would be mostly harmless to ignore a zone identifier, but I think that Anne just set out a pretty cogent argument why mostly != totally.  Maybe that gap can be closed though.

Attacks like this tend to occur as identifiers traverse more elements.  If browsers were to strip stuff out before presenting them in any way (in UI, through the DOM, or to the network), then the risk is mostly limited to any processing that occurs server-side.  That's maybe enough to put an end to this idea, but it is not the same as maybe having this shown in the address bar.  In any case, that was my thinking.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/742#issuecomment-1397870175
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/url/issues/742/1397870175@github.com>

Received on Friday, 20 January 2023 03:05:55 UTC