- From: The Moisrex <notifications@github.com>
- Date: Sun, 04 Jan 2026 13:20:53 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/issues/893/3708436589@github.com>
the-moisrex left a comment (whatwg/url#893) IMHO, I don't think `http:127.0.0.1` should be a failure, but I do think `http://///////////////////////////////////////127.0.0.1` should be. We should put some limits some places like this. This can cause smuggling of information where otherwise is not possible, or causing overflows. Though, to be fair, we have to do other things wrong for the URL Parser to be the one that has to catch it, but nonetheless, I think we need more validation errors or warnings. This issue only reminded me of how much problem I do know about URLs. Of course, users will type those URLs, but that doesn't mean the APIs that we talk to have to parse and re-parse assuming all the URLs are convertible. In my opinion, in most places from the server side point of view, most URLs that we get, have to comply with `new URL(str).href === str` rule, otherwise the client is simply responsible for converting the URL. So, I do think a more restricted version of URL spec or at least a whole lot more validation warnings are needed. And yes, @HackingRepo feels like is using AI. If so, we can move on into another issue/discuss! -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/893#issuecomment-3708436589 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/url/issues/893/3708436589@github.com>
Received on Sunday, 4 January 2026 21:20:57 UTC