- From: Andre <notifications@github.com>
- Date: Tue, 13 Aug 2024 14:56:35 -0700
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 13 August 2024 21:56:39 UTC
It's the _same domain_, whether it is within the URL or set separately, and this logic treats that same domain as two different ones, depending on how the domain parser is reached. That is, if one sets the URL as `https://abc<tab>xyz.test/path`, this logic yields a bogus `abcxyz.test` domain, but if someone splits it based on URL nomenclature and feeds `abc<tab>xyz` to the domain parser, from the same URL, mind you, then it's flagged as invalid. This logic is an open invitation for security issues, where whitespace sprinkled across URLs, including domains, will be silently removed, yielding a different URL and its individual components. I'm honestly surprised this is not considered as a potential security issue or, at least, inconsistent behavior. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/829#issuecomment-2287206294 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/url/issues/829/2287206294@github.com>
Received on Tuesday, 13 August 2024 21:56:39 UTC