Re: [whatwg/url] Malformed URL Normalization in Standard Introduces SSRF Risks (Issue #893) from RelunSec on 2026-01-04 (public-webapps-github@w3.org from January 2026)

From: RelunSec <notifications@github.com>
Date: Sun, 04 Jan 2026 01:40:15 -0800
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/893/3707913277@github.com>

HackingRepo left a comment (whatwg/url#893)

I get your concern about introducing modes they can easily become a source of complexity if they’re not solving a real problem. My intent here isn’t to add knobs for the sake of it, but to highlight that the current normalization rules (like `%2e` collapsing) can create security bypasses in non‑browser contexts.  

A strict mode proposal is one possible way to address that, but the underlying issue is: should the spec acknowledge that some consumers need stronger validation guarantees? If the answer is no modes, then maybe the alternative is clearer guidance in the standard about when normalization is unsafe.  

I’d be interested in your view on whether the spec should at least document these pitfalls, even if it doesn’t add new parsing behavior.


-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/893#issuecomment-3707913277
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/url/issues/893/3707913277@github.com>

Received on Sunday, 4 January 2026 09:40:19 UTC