URLParser should reject hosts with C0 control characters or U+007F
Created attachment 441916 [details] Patch
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Comment on attachment 441916 [details] Patch Thanks for the speedy fix! >--- a/Source/WTF/ChangeLog >+++ b/Source/WTF/ChangeLog [...] >+ This matches Chrome and Firefox and was proposed to the standard at >+ https://github.com/whatwg/url/issues/627 I was incorrect in my initial testing: Firefox does not throw for \u007F apparently, but it does throw for %7F. So it almost matches Firefox, and completely matches Chrome. [...] >diff --git a/LayoutTests/imported/w3c/web-platform-tests/url/url-character-sets.any.js b/LayoutTests/imported/w3c/web-platform-tests/url/url-character-sets.any.js >new file mode 100644 >index 0000000000000000000000000000000000000000..70beab1a92fcd03faca00dcaa4bbe0c93195fe24 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/url/url-character-sets.any.js >@@ -0,0 +1,12 @@ >+for (let cp = 0; cp <= 0x7f; cp++) { >+ test(() => { >+ let caught = false >+ try { >+ new URL("https://" + String.fromCodePoint(cp)); >+ new URL("not-special://" + String.fromCodePoint(cp)); Could we split the two cases into two separate test()s? It'd make my life a lot easier as Chrome currently doesn't support hosts in non-special URLs.
Created attachment 441947 [details] Patch
The non-special URL host parsing actually has different rules. There is yet some standards work to be done there that is not in the scope of this change, so I omitted it. I did, however, add a percent-encoded test that shows Firefox's current behavior with %7f
Committed r284588 (243321@main): <https://commits.webkit.org/243321@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 441947 [details].
<rdar://problem/84485556>