Re: [whatwg/url] Malformed URL Normalization in Standard Introduces SSRF Risks (Issue #893) from RelunSec on 2026-01-04 (public-webapps-github@w3.org from January 2026)

From: RelunSec <notifications@github.com>
Date: Sun, 04 Jan 2026 02:16:30 -0800
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/893/3707941583@github.com>

HackingRepo left a comment (whatwg/url#893)

Thanks for sharing this perspective. I agree that the current spec leaves implementers with a lot of hidden pitfalls, and the permissiveness makes it hard to balance correctness, security, and performance. Even if the working group isn’t ready to introduce a full strict mode, I think there’s value in at least documenting non‑fatal validation warnings in the standard. That way, implementers can choose to surface them or enforce stricter policies without diverging from spec compliance.

In particular, cases like userinfo handling, obfuscated IPv4 forms, or percent‑encoded dots are good examples where a warning tier would help implementers make informed trade‑offs. Formalizing these as warnings would give us a common vocabulary for strict options, rather than each implementation inventing its own.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/893#issuecomment-3707941583
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/url/issues/893/3707941583@github.com>

Received on Sunday, 4 January 2026 10:16:34 UTC