Contact emailsmea...@chromium.org Specificationhttps://unicode.org/reports/tr46
Summary Enable IDNA 2008 in Non-Transitional Mode for URL processing, aligning Chrome's behavior with Firefox and Safari. Chrome currently uses IDNA 2008 in Transitional Mode in URL processing. The main difference between Transitional and Non-Transitional Mode is the handling of four characters known as deviation characters: ß (LATIN SMALL LETTER SHARP S), ς (GREEK SMALL LETTER FINAL SIGMA), ZWJ (Zero width joiner) and ZWNJ (Zero width non-joiner). In Transitional mode, deviation characters are handled the same as IDNA2003: ß is mapped to ss, ς is mapped to σ, and ZWJ and ZWNJ are deleted. In Non-Transitional mode, domains containing these characters are allowed in domain names without mapping, and thus can resolve to different IP addresses. For example, typing "faß.de <http://fass.de>" in Chrome and Firefox opens different sites today. Enabling Non-Transitional IDNA in Chrome will allow deviation characters in domain names. Firefox and Safari already made this change in 2016 and continue to use Non-Transitional URL processing. Blink componentUI>Security>UrlFormatting <https://bugs.chromium.org/p/chromium/issues/list?q=component:UI%3ESecurity%3EUrlFormatting> Search tagsidna <https://chromestatus.com/features#tags:idna> TAG reviewThis feature addresses conformance to an existing spec and other browsers already do it. TAG review statusNot applicable Risks Interoperability and Compatibility *Gecko*: Shipped/Shipping ( https://bugzilla.mozilla.org/show_bug.cgi?id=1218179) *WebKit*: Shipped/Shipping (https://trac.webkit.org/changeset/208902/webkit) *Web developers*: No signals *Other signals*: Security This change introduces a potential security issue where a domain pointing to one IP may start pointing to another IP. As an example, IDNA2003 and Transitional IDNA-2008 maps faß.de <http://fass.de> to fass.de (ß is a deviation character). Non-Transitional IDNA2008 maps it to xn--fa-hia.de which is the punycode representation of faß.de <http://fass.de>. Typing " faß.de <http://fass.de>" in Chrome and Firefox currently opens different sites. Main mitigations discussed were domain bundling / blocking where registrars bundle domain names (e.g. registering faß.de <http://fass.de> along with fass.de) or block the alternative domain name (e.g. disallow faß.de <http://fass.de> if fass.de is registered). According to data from Chrome 106 and 107: - Less than 0.001% of user-typed or pasted main frame navigations had a deviation character in the hostname. This excludes link clicks and renderer initiated navigations, so the percentage of affected domains among all navigations is even lower. - Only one hostname had a deviation character and had more than 50 impressions over a 28 day period ( fußball.de <http://fussball.de>). Both fußball.de <http://fussball.de> and fussball.de have the same owner so this change doesn't affect them. Thus, typing domain names with deviation characters is very rare. Domain bundling / blocking aren't blockers as this change won't have a significant impact on navigations. Finally, Firefox and Safari have been using Non-Transitional IDNA 2008 since 2016 without issues. WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? Debuggability Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?Yes Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?No DevTrial instructions https://bugs.chromium.org/p/chromium/issues/detail?id=694157#c70 Flag nameuse-idna2008-non-transitional Requires code in //chrome?False Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=694157 Launch bughttps://launch.corp.google.com/launch/4224656 Estimated milestones DevTrial on desktop 110 DevTrial on Android 110 Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way). Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5105856067141632 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHafXh3rh2Hh35Pv1wNg8vBzUMy13NY%2Bh1y8HmHQrH2aD1i_Lg%40mail.gmail.com.
