[whatwg/url] Windows file paths in URL parsing (Issue #873)

mertcanaltin created an issue (whatwg/url#873)

### What is the issue with the URL Standard?

# Windows file paths in URL parsing

## Current behavior
According to the URL specification, Windows file paths like `C:\path\file.node` are considered valid URLs. This is implemented in browsers (Chrome, Safari) and URL parsing libraries.

## Proposed change
Windows file paths should not be considered valid URLs unless they are explicitly prefixed with the `file:///` protocol.

## Rationale
1. **Security**: Windows file paths treated as URLs can lead to unintended file system access and path traversal attacks
2. **UX**: Users expect file paths to be treated as local files, not as URLs
3. **Consistency**: Other OS file paths are not treated as URLs by default

## Related Issues
- Node.js PR #58578: "node-api: preserve URL filenames without conversion" (https://github.com/nodejs/node/pull/58578)
- ada-url PR #957: "fix: reject Windows file paths in can_parse" (https://github.com/ada-url/ada/pull/957)

## Impact
- Browser implementations (Chrome, Safari) would need updates
- URL parsing libraries would need modifications
- Applications using URL parsing would need to be updated

## Examples
```javascript
// Current behavior
URL.canParse("C:\\path\\file.node") // true
URL.canParse("file:///C:/path/file.node") // true

// Proposed behavior
URL.canParse("C:\\path\\file.node") // false
URL.canParse("file:///C:/path/file.node") // true
```

## Questions
1. Why are Windows file paths considered valid URLs in the current spec?
2. How can we minimize the impact on existing web applications?
3. What would be a reasonable transition period?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/873
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/url/issues/873@github.com>

Received on Friday, 13 June 2025 20:29:44 UTC