Closed majido closed 4 years ago
The current parsing algorithm accepts any character between '@' and space to be the host part of the origin.
However per URL spec host cannot contain certain characters: "A forbidden host code point is U+0000 NULL, U+0009 TAB, U+000A LF, U+000D CR, U+0020 SPACE, U+0023 (#), U+0025 (%), U+002F (/), U+003A (:), U+003C (<), U+003E (>), U+003F (?), U+0040 (@), U+005B ([), U+005C (), U+005D (]), or U+005E (^)."
I think it makes sense to verify the captured host is valid before accepting it.
Can we mark this as fixed?
samuelgoto
commented
4 years ago samuelgoto
commented
4 years ago
The current parsing algorithm accepts any character between '@' and space to be the host part of the origin.
However per URL spec host cannot contain certain characters: "A forbidden host code point is U+0000 NULL, U+0009 TAB, U+000A LF, U+000D CR, U+0020 SPACE, U+0023 (#), U+0025 (%), U+002F (/), U+003A (:), U+003C (<), U+003E (>), U+003F (?), U+0040 (@), U+005B ([), U+005C (), U+005D (]), or U+005E (^)."
I think it makes sense to verify the captured host is valid before accepting it.