- From: Marcos Del Sol Vives <notifications@github.com>
- Date: Wed, 27 Nov 2024 00:43:08 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/issues/821/2503258299@github.com>
@annevk That website you've just given me kinda proves why IgnoreInvalidPunycode should be true. If an URL were to have a 15.1 character such as \U0002EBF0, my Firefox ESR 128.0 would be unable to process it - not even in the punycoded form! https://jsdom.github.io/whatwg-url/#url=aHR0cDovL3huLS04ZzBuLmNvbS8=&base=YWJvdXQ6Ymxhbms=  And even more, if you try to use 🪉, the harp emoji in 16.0, it will not work on neither: https://jsdom.github.io/whatwg-url/#url=aHR0cDovL3huLS1rMDloLmNvbS8=&base=YWJvdXQ6Ymxhbms=  Despite being actually valid according to IdnaMappingTable for 16.0.0: ``` 1FA89 ; valid ; ; NV8 # 16.0 HARP ``` Why is that? Because the tr46 library @jsdom/whatwg-url uses implements UTS 46 with the IDNA table 15.1.0, while my Firefox ESR 128.0 supports only up to 15.0.0, with the latest being 16.0.0. If IgnoreInvalidPunycode were true by default, as it is on Chrome, browsers would still prevent accessing via Unicode characters that could introduce security problems due to homographic attacks and confusables, but would allow navigating just fine via the punycoded version. In short, requiring software updates to use new DNS domains that are all valid to the basic RFC 1034 seems like a bad idea with no obvious benefits to me. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/821#issuecomment-2503258299 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/url/issues/821/2503258299@github.com>
Received on Wednesday, 27 November 2024 08:43:12 UTC