This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 27642 - Enumerate security considerations for display of URLs to users, especially non-ASCII URLs.
Summary: Enumerate security considerations for display of URLs to users, especially no...
Status: RESOLVED FIXED
Alias: None
Product: WHATWG
Classification: Unclassified
Component: URL (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal
Target Milestone: Unsorted
Assignee: Anne
QA Contact: sideshowbarker+urlspec
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-17 20:47 UTC by Sam Ruby
Modified: 2015-08-25 14:22 UTC (History)
3 users (show)

See Also:

Attachments

Description Sam Ruby 2014-12-17 20:47:05 UTC 
This bug was opened on behalf of Larry Masinter, based on:

https://github.com/webspecs/url/issues/18
Comment 1 Anne 2015-06-22 17:20:27 UTC 
See http://tools.ietf.org/html/rfc3987#section-8 in particular for some of the risks. Mostly UI risks. The encoding risks are not really URL-specific.
Comment 2 Anne 2015-08-25 11:01:15 UTC 
That RFC boils down to "spoofing" risks and being careful with allocating new URLs to avoid having your users spoofed. (Though obviously you can't do that for domain names.)

We've also tackled some reparsing issues. This is why the host parser disallows a certain set of ASCII code points.

We should mention that in certain contexts URLs can be used to execute attacks. E.g., if a user agent dispatches unknown URLs to elsewhere it should do so very carefully and both parties need to understand the implications (they typically don't expect attacks).

And I guess we should mention that bidirectional URLs can cause significant confusion.