[whatwg] Question about document.referrer (and document.URL, document.location.href) when IDN domains are in use

Ian Hickson ian at hixie.ch
Tue Sep 10 13:40:36 PDT 2013


On Tue, 10 Sep 2013, Boris Zbarsky wrote:
> On 9/10/13 3:54 PM, Ian Hickson wrote:
> > 
> > > [some sites compare values that are always-punycoded domains with 
> > > values that can be full Unicode for security checks]
> >
> > Well, then they'll be broken, I guess. (They'll break safe, though.)
> 
> Well, the outcome is "user can't use site".  (Which they care more about 
> than whether the site is safe or not, too, though the safety bit is not 
> relevant to the discussion per se.)

Do you have a concrete example I can look at here? I agree we should make 
this interoperable.


> > It might be, depends on what the URL is.
> 
> Basically, if we want interop on this stuff we need to define which 
> things get punycoded where and which things are stored as ACE instead 
> and whatnot.  :(

Agreed. I think we have (if it doesn't say to punycode, don't punycode; 
nothing ever unpunycodes). The current definitions might not be always 
what we want, but I think to the extent that they are not, we need to 
study concrete examples to see what we should do.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list