Percent-encode U+007F DELETE when parsing URLs

Feature: Percent-encode U+007F DELETE when parsing URLs

When parsing URLs, encode the character U+007F DELETE as "%7F". This improves readability, reduces spoofing risk, makes Chrome's behavior more consistent, interoperable with other browsers and compliant with the specification.

Motivation

- U+7F is the only non-printable ASCII character that is not percent-encoded. One could rely on this for spoofing purpose. - The spec says it should be percent-encoded and WebKit and Gecko does it. - Blink already percent-encode U+7F in URLs in most cases, this change is about making it consistent by handling the same paths of non-special URLs (i.e. using schemes other than ftp, file, http, https, ws, wss) or URL fragments (i.e. #foo).

Specification

Editor's draft

Status in Chromium

Blink components: Blink>Network

Enabled by default (tracking bug) in:

Chrome for desktop release 86
Chrome for Android release 86
Android WebView release 86

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: Positive
Edge: N/A
Safari: Positive
Web Developers: Positive

Owner

fwang@igalia.com

Comments

Basic examples: * <a href="https://example.org/#">URL fragment</a> * <a href="https://example.org/">special URL path</a> * <a href="javascript:alert('')">non-special URL path</a> If you hover one link or follow it, the statusline and url bar should use %7F. Chrome does it for the first one but not for the others. Another example with JavaScript: (new URL('web+foo:\u007F').href should output "web+foo:%7F"

Search tags

url,

Last updated on 2021-05-15