- From: RelunSec <notifications@github.com>
- Date: Sat, 03 Jan 2026 12:16:11 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/issues/893/3707327114@github.com>
HackingRepo left a comment (whatwg/url#893) Thanks for the feedback. I agree that the current behavior is well‑defined and correct per the URL Standard, and that application‑level validation is necessary today. My concern is that this creates a recurring *security pitfall*: developers often assume that spec‑compliant parsers can be safely used for validation, when in fact normalization introduces exploitable bypasses (e.g. `http:127.0.0.1/` → `http://127.0.0.1/`). I’m not suggesting changing browser behavior, but rather adding an **opt‑in strict mode** or a **security note in the spec**. That way: - Browsers can continue to normalize for interoperability. - Non‑browser contexts (servers, WAFs, SSRF filters) can reject malformed input explicitly. - Developers are warned that relying solely on spec‑compliant normalization is unsafe in security‑sensitive contexts. This proposal is about balancing interoperability with security guidance. Even if the default remains unchanged, a strict mode or explicit warning in the spec would help prevent hidden bypasses in ecosystems that depend on this parser. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/893#issuecomment-3707327114 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/url/issues/893/3707327114@github.com>
Received on Saturday, 3 January 2026 20:16:16 UTC