This IDNA 2008 author applauds your decision.
On Mon, Nov 28, 2022 at 10:16 PM Mustafa Emre Acer <mea...@chromium.org> wrote: > Contact emailsmea...@chromium.org > > Specificationhttps://unicode.org/reports/tr46 > > Summary > > Enable IDNA 2008 in Non-Transitional Mode for URL processing, aligning > Chrome's behavior with Firefox and Safari. Chrome currently uses IDNA 2008 > in Transitional Mode in URL processing. The main difference between > Transitional and Non-Transitional Mode is the handling of four characters > known as deviation characters: ß (LATIN SMALL LETTER SHARP S), ς (GREEK > SMALL LETTER FINAL SIGMA), ZWJ (Zero width joiner) and ZWNJ (Zero width > non-joiner). In Transitional mode, deviation characters are handled the > same as IDNA2003: ß is mapped to ss, ς is mapped to σ, and ZWJ and ZWNJ are > deleted. In Non-Transitional mode, domains containing these characters are > allowed in domain names without mapping, and thus can resolve to different > IP addresses. For example, typing "faß.de <http://fass.de>" in Chrome and > Firefox opens different sites today. Enabling Non-Transitional IDNA in > Chrome will allow deviation characters in domain names. Firefox and Safari > already made this change in 2016 and continue to use Non-Transitional URL > processing. > > > Blink componentUI>Security>UrlFormatting > <https://bugs.chromium.org/p/chromium/issues/list?q=component:UI%3ESecurity%3EUrlFormatting> > > Search tagsidna <https://chromestatus.com/features#tags:idna> > > TAG reviewThis feature addresses conformance to an existing spec and > other browsers already do it. > > TAG review statusNot applicable > > Risks > > > Interoperability and Compatibility > > > > *Gecko*: Shipped/Shipping ( > https://bugzilla.mozilla.org/show_bug.cgi?id=1218179) > > *WebKit*: Shipped/Shipping ( > https://trac.webkit.org/changeset/208902/webkit) > > *Web developers*: No signals > > *Other signals*: > > Security > > This change introduces a potential security issue where a domain pointing > to one IP may start pointing to another IP. As an example, IDNA2003 and > Transitional IDNA-2008 maps faß.de <http://fass.de> to fass.de (ß is a > deviation character). Non-Transitional IDNA2008 maps it to xn--fa-hia.de > which is the punycode representation of faß.de <http://fass.de>. Typing " > faß.de <http://fass.de>" in Chrome and Firefox currently opens different > sites. Main mitigations discussed were domain bundling / blocking where > registrars bundle domain names (e.g. registering faß.de <http://fass.de> > along with fass.de) or block the alternative domain name (e.g. disallow > faß.de <http://fass.de> if fass.de is registered). According to data from > Chrome 106 and 107: - Less than 0.001% of user-typed or pasted main frame > navigations had a deviation character in the hostname. This excludes link > clicks and renderer initiated navigations, so the percentage of affected > domains among all navigations is even lower. - Only one hostname had a > deviation character and had more than 50 impressions over a 28 day period ( > fußball.de <http://fussball.de>). Both fußball.de <http://fussball.de> > and fussball.de have the same owner so this change doesn't affect them. > Thus, typing domain names with deviation characters is very rare. Domain > bundling / blocking aren't blockers as this change won't have a significant > impact on navigations. Finally, Firefox and Safari have been using > Non-Transitional IDNA 2008 since 2016 without issues. > > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > > > Debuggability > > > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, Chrome OS, Android, and Android WebView)?Yes > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ?No > > DevTrial instructions > https://bugs.chromium.org/p/chromium/issues/detail?id=694157#c70 > > Flag nameuse-idna2008-non-transitional > > Requires code in //chrome?False > > Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=694157 > > Launch bughttps://launch.corp.google.com/launch/4224656 > > Estimated milestones > DevTrial on desktop 110 > DevTrial on Android 110 > > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/5105856067141632 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHafXh3rh2Hh35Pv1wNg8vBzUMy13NY%2Bh1y8HmHQrH2aD1i_Lg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHafXh3rh2Hh35Pv1wNg8vBzUMy13NY%2Bh1y8HmHQrH2aD1i_Lg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOqqYVFsCyiMPA4eVWZy-a%2Bv6XCgcYkCDzhq7XVSP4O_rQFFyA%40mail.gmail.com.
