Normalize or reject URLs with `..` components

[casey]

270 made me think that we should normalize or reject URLs with paths containing ...

If user agents normalize or remove .. from paths before making requests, then there doesn't seem to be a good reason for agora not to reject paths that are received with ...

Some things that could be done to move this forward:

• Figure out what users agents actually do, Chrome, curl, Firefox, Safari, Brave, w3m, and lynx would be good to check, just to cover what's widely used, but also get different implementations.
• Figure out what spec governs .. in URL paths, and what user agents are expected to do when encountering them. I couldn't figure this out after doing some searches.

[casey]

Adding the ready to implement label, although that's just for researching what user agents do and finding the relevant spec. Suggestions for better names than "ready to implement" are most welcome.

[casey]

My general feeling about .. is that it is a nice affordance in user-facing interfaces, but a mistake anywhere else. Paths containing .. should be normalized at the outermost layer, rejected if they can't be normalized away (i.e. leading .. components), and not make their way further into the system.

[casey]

Okay, I think that the URI Generic Syntax RFC dictates that . and .. should be normalized away by the user-agent before making the request, and shouldn't make it into a request.