Re: [whatwg/url] Malformed URL Normalization in Standard Introduces SSRF Risks (Issue #893) from Anne van Kesteren on 2026-01-05 (public-webapps-github@w3.org from January 2026)

From: Anne van Kesteren <notifications@github.com>
Date: Mon, 05 Jan 2026 00:40:48 -0800
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/893/3709442566@github.com>

annevk left a comment (whatwg/url#893)

I don't think placing limits on things that look bad leads to a sound system. I could certainly see how standardizing on algorithm limits in general could increase robustness, but then we'd have to tackle all of them. However, this would also be in conflict with https://infra.spec.whatwg.org/#algorithm-limits so would have to be done with great care and it seems rather unlikely it will be prioritized by anyone.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/893#issuecomment-3709442566
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/url/issues/893/3709442566@github.com>

Received on Monday, 5 January 2026 08:40:52 UTC