229490 – Invalid URL are treated as valid in navigator.canShare()

Bug 229490 - Invalid URL are treated as valid in navigator.canShare()

Summary: Invalid URL are treated as valid in navigator.canShare()

Status:	RESOLVED INVALID

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	Other
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-08-25 02:03 PDT by Marcos Caceres
Modified:	2021-08-25 23:38 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcos Caceres 2021-08-25 02:03:58 PDT

In Web Share's navigator.canShare() method, when passed:

  navigator.canShare({ url: "http://a.b:65536" })

WebKit returns true via URL::isValid(). However, the port is invalid.

Comment 1 Alex Christensen 2021-08-25 09:30:25 PDT

navigator.canShare({ url: "http://a.b:65536" })
> false
(not supported in Chrome and Firefox)

new URL("http://a.b:65536")
> TypeError
new URL("http://a.b:65536")
> URL {href: "http://a.b.65535/", ...}
(Same as Chrome and Firefox.)

C++
auto url = URL(URL(), "http://a.b:65536");
WTFLogAlways("valid? %d", url.isValid());
> valid? 0

Maybe you're using WebKit that is several years old, or maybe you're looking at the wrong thing.

Comment 2 Marcos Caceres 2021-08-25 22:11:23 PDT

Sorry, yes. Seems I misread which test was failing. 

It was one to do with data: URLs rather:
https://wpt.fyi/results/web-share/share-url-invalid.https.html?label=experimental&label=master&aligned

I'll follow up in a different bug for that.

Comment 3 Alex Christensen 2021-08-25 22:57:32 PDT

I think the relevant sentence in the spec is this:
"If |url| is a URL the user agent deems potentially hostile (e.g., "file:") or wouldn't make sense to outside the scope of the document (e.g., "blob:"), return false."
from https://w3c.github.io/web-share/

I'm wondering why Edge and the web platform tests think that include data URLs.  They make sense outside the scope of the document and it's a judgement call as to whether the user agent deems them potentially hostile.

Comment 4 Marcos Caceres 2021-08-25 23:38:06 PDT

(In reply to Alex Christensen from comment #3)
> I think the relevant sentence in the spec is this:
> "If |url| is a URL the user agent deems potentially hostile (e.g., "file:")
> or wouldn't make sense to outside the scope of the document (e.g., "blob:"),
> return false."
> from https://w3c.github.io/web-share/

Yes, I added that a few days ago - but it's a bit of a stop-gap for the reason you mention: 

> I'm wondering why Edge and the web platform tests think that include data
> URLs.  They make sense outside the scope of the document and it's a
> judgement call as to whether the user agent deems them potentially hostile.

I made the following proposal: 
https://github.com/w3c/web-share/issues/178#issuecomment-904241285

"""
Disallow sharing to "local scheme" ("about", "blob", or "data"), file, and "javascript", and any other scheme the UA doesn't want to share (e.g., internal "moz-icon:" or whatever).

Allow sharing HTTP(S) scheme and, optionally, any of the "safe-listed schemes".

That should give us broad coverage, while allowing the UA to retain control over what's actually shared, while excluding the "bad ones".
"""

"safe-listed schemes" are:
https://html.spec.whatwg.org/#safelisted-scheme

That's basically what I implemented in Gecko.