- From: RelunSec <notifications@github.com>
- Date: Sat, 03 Jan 2026 12:50:40 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/issues/893/3707347424@github.com>
HackingRepo left a comment (whatwg/url#893) Thanks for clarifying. I agree that the current behavior is well‑defined for generic schemes. My concern is specifically with **special schemes** (`http`, `https`, `ftp`, `file`, etc.), because these are the ones most often used in SSRF/WAF contexts where normalization of malformed input creates exploitable bypasses. For example: - `https:/127.0.0.1/` normalizes into `https://127.0.0.1/`, allowing an attacker to reach internal services. - `http:localhost` normalizes into `http://localhost/`, bypassing filters that reject the malformed form. If the spec were to call out special schemes explicitly: - Browsers could continue to normalize for interoperability. - Non‑browser contexts could reject malformed inputs for special schemes, preventing SSRF bypasses. - This would align with the idea that “generic schemes” remain permissive, but “special schemes” get stricter validation. So I’d support resolving this by **explicitly documenting stricter expectations for special schemes**. That way, implementers have clear guidance when security is a concern, without changing the general parsing rules for all schemes. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/893#issuecomment-3707347424 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/url/issues/893/3707347424@github.com>
Received on Saturday, 3 January 2026 20:50:44 UTC