- From: swhiteman <notifications@github.com>
- Date: Sat, 03 Jan 2026 23:18:24 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Sunday, 4 January 2026 07:18:28 UTC
swhiteman left a comment (whatwg/url#893) > Any modification to the href should make the string Not Normalized. OK, but failing to see the security case for flagging an all-caps hostname as “dirty“ at the same level as injecting `//`. At some point we have to distinguish between: - normalized but not dirty — e.g. empty path/trailing slash, explicit port that matches default/no port, host capitalization, dot segments, plus fixing up unnecessary percent encoding and x-www-form-urlencoded spaces (these last two wrt URLSearchParams, not URL) and - normalized via at least one modification that might be considered dirty, security-wise -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/893#issuecomment-3707814808 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/url/issues/893/3707814808@github.com>
Received on Sunday, 4 January 2026 07:18:28 UTC