229490 2021-08-25 02:03:58 -0700 Invalid URL are treated as valid in navigator.canShare() 2021-08-25 23:38:06 -0700 1 1 1 Unclassified WebKit New Bugs Other Unspecified Unspecified RESOLVED INVALID P2 Normal --- 1 marcos webkit-unassigned achristensen hi thorton oldest_to_newest 1787116 0 marcos 2021-08-25 02:03:58 -0700 In Web Share's navigator.canShare() method, when passed: navigator.canShare({ url: "http://a.b:65536" }) WebKit returns true via URL::isValid(). However, the port is invalid. 1787185 1 achristensen 2021-08-25 09:30:25 -0700 navigator.canShare({ url: "http://a.b:65536" }) > false (not supported in Chrome and Firefox) new URL("http://a.b:65536") > TypeError new URL("http://a.b:65536") > URL {href: "http://a.b.65535/", ...} (Same as Chrome and Firefox.) C++ auto url = URL(URL(), "http://a.b:65536"); WTFLogAlways("valid? %d", url.isValid()); > valid? 0 Maybe you're using WebKit that is several years old, or maybe you're looking at the wrong thing. 1787468 2 marcos 2021-08-25 22:11:23 -0700 Sorry, yes. Seems I misread which test was failing. It was one to do with data: URLs rather: https://wpt.fyi/results/web-share/share-url-invalid.https.html?label=experimental&label=master&aligned I'll follow up in a different bug for that. 1787475 3 achristensen 2021-08-25 22:57:32 -0700 I think the relevant sentence in the spec is this: "If |url| is a URL the user agent deems potentially hostile (e.g., "file:") or wouldn't make sense to outside the scope of the document (e.g., "blob:"), return false." from https://w3c.github.io/web-share/ I'm wondering why Edge and the web platform tests think that include data URLs. They make sense outside the scope of the document and it's a judgement call as to whether the user agent deems them potentially hostile. 1787480 4 marcos 2021-08-25 23:38:06 -0700 (In reply to Alex Christensen from comment #3) > I think the relevant sentence in the spec is this: > "If |url| is a URL the user agent deems potentially hostile (e.g., "file:") > or wouldn't make sense to outside the scope of the document (e.g., "blob:"), > return false." > from https://w3c.github.io/web-share/ Yes, I added that a few days ago - but it's a bit of a stop-gap for the reason you mention: > I'm wondering why Edge and the web platform tests think that include data > URLs. They make sense outside the scope of the document and it's a > judgement call as to whether the user agent deems them potentially hostile. I made the following proposal: https://github.com/w3c/web-share/issues/178#issuecomment-904241285 """ Disallow sharing to "local scheme" ("about", "blob", or "data"), file, and "javascript", and any other scheme the UA doesn't want to share (e.g., internal "moz-icon:" or whatever). Allow sharing HTTP(S) scheme and, optionally, any of the "safe-listed schemes". That should give us broad coverage, while allowing the UA to retain control over what's actually shared, while excluding the "bad ones". """ "safe-listed schemes" are: https://html.spec.whatwg.org/#safelisted-scheme That's basically what I implemented in Gecko.