Changeset 271899 in webkit

Timestamp:

Jan 26, 2021 1:14:33 PM (18 months ago)

Author:

commit-queue@webkit.org

Message:

Forbid '|' in URL hosts
​https://bugs.webkit.org/show_bug.cgi?id=220778

Patch by Alex Christensen <​achristensen@webkit.org> on 2021-01-26
Reviewed by Youenn Fablet.

LayoutTests/imported/w3c:

• web-platform-tests/url/a-element-expected.txt:
• web-platform-tests/url/a-element-origin-expected.txt:
• web-platform-tests/url/a-element-origin-xhtml-expected.txt:
• web-platform-tests/url/a-element-xhtml-expected.txt:
• web-platform-tests/url/failure-expected.txt:
• web-platform-tests/url/resources/urltestdata.json:
• web-platform-tests/url/url-constructor-expected.txt:
• web-platform-tests/url/url-origin-expected.txt:

Source/WTF:

This is one of the proposed solutions to ​https://github.com/whatwg/url/issues/559
and RFC 3986 and 3987 forbid such characters, so let's try forbidding it.

• wtf/URLParser.cpp:

(WTF::isC0Control):
(WTF::isForbiddenHostCodePoint):

LayoutTests:

• fast/url/file-http-base-expected.txt:
• fast/url/file-http-base.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/url/file-http-base-expected.txt (modified) (1 diff)
• LayoutTests/fast/url/file-http-base.html (modified) (3 diffs)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/url/a-element-expected.txt (modified) (2 diffs)
• LayoutTests/imported/w3c/web-platform-tests/url/a-element-origin-expected.txt (modified) (2 diffs)
• LayoutTests/imported/w3c/web-platform-tests/url/a-element-origin-xhtml-expected.txt (modified) (2 diffs)
• LayoutTests/imported/w3c/web-platform-tests/url/a-element-xhtml-expected.txt (modified) (2 diffs)
• LayoutTests/imported/w3c/web-platform-tests/url/failure-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/url/resources/urltestdata.json (modified) (2 diffs)
• LayoutTests/imported/w3c/web-platform-tests/url/url-constructor-expected.txt (modified) (2 diffs)
• LayoutTests/imported/w3c/web-platform-tests/url/url-origin-expected.txt (modified) (2 diffs)
• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/URLParser.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2021-01-26  Alex Christensen  <achristensen@webkit.org>
+
+        Forbid '|' in URL hosts
+        https://bugs.webkit.org/show_bug.cgi?id=220778
+
+        Reviewed by Youenn Fablet.
+
+        * fast/url/file-http-base-expected.txt:
+        * fast/url/file-http-base.html:
+
 2021-01-26  Rob Buis  <rbuis@igalia.com>
 

trunk/LayoutTests/fast/url/file-http-base-expected.txt

@@ -4 +4 @@
 
 
-FAIL canonicalize('file:c:\\foo\\bar.html') should be file:///C:/foo/bar.html. Was file:///c:/foo/bar.html.
-FAIL canonicalize('  File:c|////foo\\bar.html') should be file:///C:////foo/bar.html. Was file:///c:////foo/bar.html.
+PASS canonicalize('file:c:\\foo\\bar.html') is 'file:///c:/foo/bar.html'
+PASS canonicalize('  File:c|////foo\\bar.html') is 'file:///c:////foo/bar.html'
 PASS canonicalize('file:') is 'file:///'
-FAIL canonicalize('file:UNChost/path') should be file://unchost/path. Was file:///UNChost/path.
-FAIL canonicalize('c:\\foo\\bar') should be file:///C:/foo/bar. Was c:\foo\bar.
-FAIL canonicalize('C|/foo/bar') should be file:///C:/foo/bar. Was http://example.com/mock/C|/foo/bar.
-FAIL canonicalize('/C|\\foo\\bar') should be file:///C:/foo/bar. Was http://example.com/C|/foo/bar.
-FAIL canonicalize('//C|/foo/bar') should be file:///C:/foo/bar. Was http://c|/foo/bar.
-FAIL canonicalize('//server/file') should be file://server/file. Was http://server/file.
-FAIL canonicalize('\\\\server\\file') should be file://server/file. Was http://server/file.
-FAIL canonicalize('/\\server/file') should be file://server/file. Was http://server/file.
-FAIL canonicalize('file:c:foo/bar.html') should be file:///C:/foo/bar.html. Was file:///c:foo/bar.html.
-FAIL canonicalize('file:/\\/\\C:\\\\//foo\\bar.html') should be file:///C:////foo/bar.html. Was file:////C:////foo/bar.html.
+PASS canonicalize('file:UNChost/path') is 'file:///UNChost/path'
+PASS canonicalize('c:\\foo\\bar') is 'c:\\foo\\bar'
+PASS canonicalize('C|/foo/bar') is 'http://example.com/mock/C|/foo/bar'
+PASS canonicalize('/C|\\foo\\bar') is 'http://example.com/C|/foo/bar'
+PASS canonicalize('//C|/foo/bar') is '//C|/foo/bar'
+PASS canonicalize('//server/file') is 'http://server/file'
+PASS canonicalize('\\\\server\\file') is 'http://server/file'
+PASS canonicalize('/\\server/file') is 'http://server/file'
+PASS canonicalize('file:c:foo/bar.html') is 'file:///c:foo/bar.html'
+PASS canonicalize('file:/\\/\\C:\\\\//foo\\bar.html') is 'file:////C:////foo/bar.html'
 PASS canonicalize('file:///foo/bar.txt') is 'file:///foo/bar.txt'
-FAIL canonicalize('FILE:/\\/\\7:\\\\//foo\\bar.html') should be file://7:////foo/bar.html. Was file:////7:////foo/bar.html.
-FAIL canonicalize('file:filer/home\\me') should be file://filer/home/me. Was file:///filer/home/me.
+PASS canonicalize('FILE:/\\/\\7:\\\\//foo\\bar.html') is 'file:////7:////foo/bar.html'
+PASS canonicalize('file:filer/home\\me') is 'file:///filer/home/me'
 PASS canonicalize('file:///C:/foo/../../../bar.html') is 'file:///C:/bar.html'
-FAIL canonicalize('file:///C:/asdf#\xc2') should be file:///C:/asdf#Â. Was file:///C:/asdf#%C3%82.
-FAIL canonicalize('file:///C:/asdf#Â') should be file:///C:/asdf#Â. Was file:///C:/asdf#%C3%82.
+PASS canonicalize('file:///C:/asdf#\xc2') is 'file:///C:/asdf#%C3%82'
+PASS canonicalize('file:///C:/asdf#Â') is 'file:///C:/asdf#%C3%82'
 PASS canonicalize('file:///home/me') is 'file:///home/me'
 PASS canonicalize('file:c:\\foo\\bar.html') is 'file:///c:/foo/bar.html'
-FAIL canonicalize('file:c|//foo\\bar.html') should be file:///c%7C//foo/bar.html. Was file:///c://foo/bar.html.
-FAIL canonicalize('//') should be file:///. Was //.
-FAIL canonicalize('///') should be file:///. Was ///.
-FAIL canonicalize('///test') should be file:///test. Was http://test/.
+PASS canonicalize('file:c|//foo\\bar.html') is 'file:///c://foo/bar.html'
+PASS canonicalize('//') is '//'
+PASS canonicalize('///') is '///'
+PASS canonicalize('///test') is 'http://test/'
 PASS canonicalize('file://test') is 'file://test/'
-FAIL canonicalize('file://localhost') should be file://localhost/. Was file:///.
-FAIL canonicalize('file://localhost/') should be file://localhost/. Was file:///.
-FAIL canonicalize('file://localhost/test') should be file://localhost/test. Was file:///test.
+PASS canonicalize('file://localhost') is 'file:///'
+PASS canonicalize('file://localhost/') is 'file:///'
+PASS canonicalize('file://localhost/test') is 'file:///test'
 PASS successfullyParsed is true
 

trunk/LayoutTests/fast/url/file-http-base.html

@@ -12 +12 @@
 cases = [ 
     // Windows-style paths
-    ["file:c:\\\\foo\\\\bar.html", "file:///C:/foo/bar.html"],
-    ["  File:c|////foo\\\\bar.html", "file:///C:////foo/bar.html"],
+    ["file:c:\\\\foo\\\\bar.html", "file:///c:/foo/bar.html"],
+    ["  File:c|////foo\\\\bar.html", "file:///c:////foo/bar.html"],
     ["file:", "file:///"],
-    ["file:UNChost/path", "file://unchost/path"],
+    ["file:UNChost/path", "file:///UNChost/path"],
     // CanonicalizeFileURL supports absolute Windows style paths for IE
     // compatability. Note that the caller must decide that this is a file
     // URL itself so it can call the file canonicalizer. This is usually
     // done automatically as part of relative URL resolving.
-    ["c:\\\\foo\\\\bar", "file:///C:/foo/bar"],
-    ["C|/foo/bar", "file:///C:/foo/bar"],
-    ["/C|\\\\foo\\\\bar", "file:///C:/foo/bar"],
-    ["//C|/foo/bar", "file:///C:/foo/bar"],
-    ["//server/file", "file://server/file"],
-    ["\\\\\\\\server\\\\file", "file://server/file"],
-    ["/\\\\server/file", "file://server/file"],
+    ["c:\\\\foo\\\\bar", "c:\\\\foo\\\\bar"],
+    ["C|/foo/bar", "http://example.com/mock/C|/foo/bar"],
+    ["/C|\\\\foo\\\\bar", "http://example.com/C|/foo/bar"],
+    ["//C|/foo/bar", "//C|/foo/bar"],
+    ["//server/file", "http://server/file"],
+    ["\\\\\\\\server\\\\file", "http://server/file"],
+    ["/\\\\server/file", "http://server/file"],
     // We should preserve the number of slashes after the colon for IE
     // compatability, except when there is none, in which case we should
     // add one.
-    ["file:c:foo/bar.html", "file:///C:/foo/bar.html"],
-    ["file:/\\\\/\\\\C:\\\\\\\\//foo\\\\bar.html", "file:///C:////foo/bar.html"],
+    ["file:c:foo/bar.html", "file:///c:foo/bar.html"],
+    ["file:/\\\\/\\\\C:\\\\\\\\//foo\\\\bar.html", "file:////C:////foo/bar.html"],
     // Three slashes should be non-UNC, even if there is no drive spec (IE
     // does this, which makes the resulting request invalid).
@@ -41 +41 @@
     // seem to be a strong argument for why allowing it here would be bad, so
     // we just tolerate it and the load will fail later.
-    ["FILE:/\\\\/\\\\7:\\\\\\\\//foo\\\\bar.html", "file://7:////foo/bar.html"],
-    ["file:filer/home\\\\me", "file://filer/home/me"],
+    ["FILE:/\\\\/\\\\7:\\\\\\\\//foo\\\\bar.html", "file:////7:////foo/bar.html"],
+    ["file:filer/home\\\\me", "file:///filer/home/me"],
     // Make sure relative paths can't go above the "C:"
     ["file:///C:/foo/../../../bar.html", "file:///C:/bar.html"],
     // Busted refs shouldn't make the whole thing fail.
-    ["file:///C:/asdf#\\xc2", "file:///C:/asdf#\\xc2"],
-    ["file:///C:/asdf#\xc2", "file:///C:/asdf#\xc2"],
+    ["file:///C:/asdf#\\xc2", "file:///C:/asdf#%C3%82"],
+    ["file:///C:/asdf#\xc2", "file:///C:/asdf#%C3%82"],
 
     // Unix-style paths
@@ -53 +53 @@
     // Windowsy ones should get still treated as Unix-style.
     ["file:c:\\\\foo\\\\bar.html", "file:///c:/foo/bar.html"],
-    ["file:c|//foo\\\\bar.html", "file:///c%7C//foo/bar.html"],
+    ["file:c|//foo\\\\bar.html", "file:///c://foo/bar.html"],
     // file: tests from WebKit (LayoutTests/fast/loader/url-parse-1.html)
-    ["//", "file:///"],
-    ["///", "file:///"],
-    ["///test", "file:///test"],
+    ["//", "//"],
+    ["///", "///"],
+    ["///test", "http://test/"],
     ["file://test", "file://test/"],
-    ["file://localhost",  "file://localhost/"],
-    ["file://localhost/", "file://localhost/"],
-    ["file://localhost/test", "file://localhost/test"],
+    ["file://localhost",  "file:///"],
+    ["file://localhost/", "file:///"],
+    ["file://localhost/test", "file:///test"],
 ];
 

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2021-01-26  Alex Christensen  <achristensen@webkit.org>
+
+        Forbid '|' in URL hosts
+        https://bugs.webkit.org/show_bug.cgi?id=220778
+
+        Reviewed by Youenn Fablet.
+
+        * web-platform-tests/url/a-element-expected.txt:
+        * web-platform-tests/url/a-element-origin-expected.txt:
+        * web-platform-tests/url/a-element-origin-xhtml-expected.txt:
+        * web-platform-tests/url/a-element-xhtml-expected.txt:
+        * web-platform-tests/url/failure-expected.txt:
+        * web-platform-tests/url/resources/urltestdata.json:
+        * web-platform-tests/url/url-constructor-expected.txt:
+        * web-platform-tests/url/url-origin-expected.txt:
+
 2021-01-26  Rob Buis  <rbuis@igalia.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/url/a-element-expected.txt

@@ -368 +368 @@
 PASS Parsing: <non-special://a>b> against <about:blank>
 PASS Parsing: <non-special://a^b> against <about:blank>
-PASS Parsing: <http://!"$&'()*+,-.;=_`{|}~/> against <about:blank>
-PASS Parsing: <sc://!"$&'()*+,-.;=_`{|}~/> against <about:blank>
+PASS Parsing: <http://!"$&'()*+,-.;=_`{}~/> against <about:blank>
+PASS Parsing: <sc://!"$&'()*+,-.;=_`{}~/> against <about:blank>
 PASS Parsing: <ftp://example.com%80/> against <about:blank>
 PASS Parsing: <ftp://example.com%A0/> against <about:blank>
@@ -415 +415 @@
 PASS Parsing: <file:///C%3A/> against <about:blank>
 PASS Parsing: <file:///C%7C/> against <about:blank>
+PASS Parsing: <file://%43%3A> against <about:blank>
+PASS Parsing: <file://%43%7C> against <about:blank>
+PASS Parsing: <file://%43|> against <about:blank>
+PASS Parsing: <file://C%7C> against <about:blank>
+PASS Parsing: <file://%43%7C/> against <about:blank>
+PASS Parsing: <https://%43%7C/> against <about:blank>
+PASS Parsing: <asdf://%43|/> against <about:blank>
+PASS Parsing: <asdf://%43%7C/> against <about:blank>
 PASS Parsing: <pix/submit.gif> against <file:///C:/Users/Domenic/Dropbox/GitHub/tmpvar/jsdom/test/level2/html/files/anchor.html>
 PASS Parsing: <..> against <file:///C:/>

trunk/LayoutTests/imported/w3c/web-platform-tests/url/a-element-origin-expected.txt

@@ -264 +264 @@
 FAIL Parsing origin: <wow:￿> against <about:blank> assert_equals: origin expected "null" but got "wow://"
 PASS Parsing origin: <http://example.com/U+d800�U+dffeU+dfff﷐﷏﷯ﷰ￾￿?U+d800�U+dffeU+dfff﷐﷏﷯ﷰ￾￿> against <about:blank>
-PASS Parsing origin: <http://!"$&'()*+,-.;=_`{|}~/> against <about:blank>
-FAIL Parsing origin: <sc://!"$&'()*+,-.;=_`{|}~/> against <about:blank> assert_equals: origin expected "null" but got "sc://%1f!\"$&'()*+,-.;=_`{|}~"
+PASS Parsing origin: <http://!"$&'()*+,-.;=_`{}~/> against <about:blank>
+FAIL Parsing origin: <sc://!"$&'()*+,-.;=_`{}~/> against <about:blank> assert_equals: origin expected "null" but got "sc://%1f!\"$&'()*+,-.;=_`{}~"
 PASS Parsing origin: <ftp://%e2%98%83> against <about:blank>
 PASS Parsing origin: <https://%e2%98%83> against <about:blank>
@@ -298 +298 @@
 PASS Parsing origin: <http://256.256.256.256.256> against <http://other.com/>
 PASS Parsing origin: <https://0x.0x.0> against <about:blank>
+FAIL Parsing origin: <asdf://%43%7C/> against <about:blank> assert_equals: origin expected "null" but got "asdf://%43%7c"
 PASS Parsing origin: <http://[1:0::]> against <http://example.net/>
 FAIL Parsing origin: <sc://ñ> against <about:blank> assert_equals: origin expected "null" but got "sc://%c3%b1"

trunk/LayoutTests/imported/w3c/web-platform-tests/url/a-element-origin-xhtml-expected.txt

@@ -264 +264 @@
 FAIL Parsing origin: <wow:￿> against <about:blank> assert_equals: origin expected "null" but got "wow://"
 PASS Parsing origin: <http://example.com/U+d800�U+dffeU+dfff﷐﷏﷯ﷰ￾￿?U+d800�U+dffeU+dfff﷐﷏﷯ﷰ￾￿> against <about:blank>
-PASS Parsing origin: <http://!"$&'()*+,-.;=_`{|}~/> against <about:blank>
-FAIL Parsing origin: <sc://!"$&'()*+,-.;=_`{|}~/> against <about:blank> assert_equals: origin expected "null" but got "sc://%1f!\"$&'()*+,-.;=_`{|}~"
+PASS Parsing origin: <http://!"$&'()*+,-.;=_`{}~/> against <about:blank>
+FAIL Parsing origin: <sc://!"$&'()*+,-.;=_`{}~/> against <about:blank> assert_equals: origin expected "null" but got "sc://%1f!\"$&'()*+,-.;=_`{}~"
 PASS Parsing origin: <ftp://%e2%98%83> against <about:blank>
 PASS Parsing origin: <https://%e2%98%83> against <about:blank>
@@ -298 +298 @@
 PASS Parsing origin: <http://256.256.256.256.256> against <http://other.com/>
 PASS Parsing origin: <https://0x.0x.0> against <about:blank>
+FAIL Parsing origin: <asdf://%43%7C/> against <about:blank> assert_equals: origin expected "null" but got "asdf://%43%7c"
 PASS Parsing origin: <http://[1:0::]> against <http://example.net/>
 FAIL Parsing origin: <sc://ñ> against <about:blank> assert_equals: origin expected "null" but got "sc://%c3%b1"

trunk/LayoutTests/imported/w3c/web-platform-tests/url/a-element-xhtml-expected.txt

@@ -368 +368 @@
 PASS Parsing: <non-special://a>b> against <about:blank>
 PASS Parsing: <non-special://a^b> against <about:blank>
-PASS Parsing: <http://!"$&'()*+,-.;=_`{|}~/> against <about:blank>
-PASS Parsing: <sc://!"$&'()*+,-.;=_`{|}~/> against <about:blank>
+PASS Parsing: <http://!"$&'()*+,-.;=_`{}~/> against <about:blank>
+PASS Parsing: <sc://!"$&'()*+,-.;=_`{}~/> against <about:blank>
 PASS Parsing: <ftp://example.com%80/> against <about:blank>
 PASS Parsing: <ftp://example.com%A0/> against <about:blank>
@@ -415 +415 @@
 PASS Parsing: <file:///C%3A/> against <about:blank>
 PASS Parsing: <file:///C%7C/> against <about:blank>
+PASS Parsing: <file://%43%3A> against <about:blank>
+PASS Parsing: <file://%43%7C> against <about:blank>
+PASS Parsing: <file://%43|> against <about:blank>
+PASS Parsing: <file://C%7C> against <about:blank>
+PASS Parsing: <file://%43%7C/> against <about:blank>
+PASS Parsing: <https://%43%7C/> against <about:blank>
+PASS Parsing: <asdf://%43|/> against <about:blank>
+PASS Parsing: <asdf://%43%7C/> against <about:blank>
 PASS Parsing: <pix/submit.gif> against <file:///C:/Users/Domenic/Dropbox/GitHub/tmpvar/jsdom/test/level2/html/files/anchor.html>
 PASS Parsing: <..> against <file:///C:/>

trunk/LayoutTests/imported/w3c/web-platform-tests/url/failure-expected.txt

@@ -269 +269 @@
 FAIL Location's href: https://256.0.0.1/test should throw assert_throws_js: function "() => self[0].location = test.input" did not throw
 PASS window.open(): https://256.0.0.1/test should throw
+PASS URL's constructor's base argument: file://%43%3A should throw
+PASS URL's href: file://%43%3A should throw
+PASS XHR: file://%43%3A should throw
+PASS sendBeacon(): file://%43%3A should throw
+FAIL Location's href: file://%43%3A should throw assert_throws_js: function "() => self[0].location = test.input" did not throw
+PASS window.open(): file://%43%3A should throw
+PASS URL's constructor's base argument: file://%43%7C should throw
+PASS URL's href: file://%43%7C should throw
+PASS XHR: file://%43%7C should throw
+PASS sendBeacon(): file://%43%7C should throw
+FAIL Location's href: file://%43%7C should throw assert_throws_js: function "() => self[0].location = test.input" did not throw
+PASS window.open(): file://%43%7C should throw
+PASS URL's constructor's base argument: file://%43| should throw
+PASS URL's href: file://%43| should throw
+PASS XHR: file://%43| should throw
+PASS sendBeacon(): file://%43| should throw
+FAIL Location's href: file://%43| should throw assert_throws_js: function "() => self[0].location = test.input" did not throw
+PASS window.open(): file://%43| should throw
+PASS URL's constructor's base argument: file://C%7C should throw
+PASS URL's href: file://C%7C should throw
+PASS XHR: file://C%7C should throw
+PASS sendBeacon(): file://C%7C should throw
+FAIL Location's href: file://C%7C should throw assert_throws_js: function "() => self[0].location = test.input" did not throw
+PASS window.open(): file://C%7C should throw
+PASS URL's constructor's base argument: file://%43%7C/ should throw
+PASS URL's href: file://%43%7C/ should throw
+PASS XHR: file://%43%7C/ should throw
+PASS sendBeacon(): file://%43%7C/ should throw
+FAIL Location's href: file://%43%7C/ should throw assert_throws_js: function "() => self[0].location = test.input" did not throw
+PASS window.open(): file://%43%7C/ should throw
+PASS URL's constructor's base argument: https://%43%7C/ should throw
+PASS URL's href: https://%43%7C/ should throw
+PASS XHR: https://%43%7C/ should throw
+PASS sendBeacon(): https://%43%7C/ should throw
+FAIL Location's href: https://%43%7C/ should throw assert_throws_js: function "() => self[0].location = test.input" did not throw
+PASS window.open(): https://%43%7C/ should throw
+PASS URL's constructor's base argument: asdf://%43|/ should throw
+PASS URL's href: asdf://%43|/ should throw
+PASS XHR: asdf://%43|/ should throw
+PASS sendBeacon(): asdf://%43|/ should throw
+FAIL Location's href: asdf://%43|/ should throw assert_throws_js: function "() => self[0].location = test.input" did not throw
+PASS window.open(): asdf://%43|/ should throw
 PASS URL's constructor's base argument: \\\.\Y: should throw
 PASS URL's href: \\\.\Y: should throw

trunk/LayoutTests/imported/w3c/web-platform-tests/url/resources/urltestdata.json

@@ -4683 +4683 @@
   "Allowed host code points",
   {
-    "input": "http://\u001F!\"$&'()*+,-.;=_`{|}~/",
-    "base": "about:blank",
-    "href": "http://\u001F!\"$&'()*+,-.;=_`{|}~/",
-    "origin": "http://\u001F!\"$&'()*+,-.;=_`{|}~",
-    "protocol": "http:",
-    "username": "",
-    "password": "",
-    "host": "\u001F!\"$&'()*+,-.;=_`{|}~",
-    "hostname": "\u001F!\"$&'()*+,-.;=_`{|}~",
-    "port": "",
-    "pathname": "/",
-    "search": "",
-    "hash": ""
-  },
-  {
-    "input": "sc://\u001F!\"$&'()*+,-.;=_`{|}~/",
-    "base": "about:blank",
-    "href": "sc://%1F!\"$&'()*+,-.;=_`{|}~/",
+    "input": "http://\u001F!\"$&'()*+,-.;=_`{}~/",
+    "base": "about:blank",
+    "href": "http://\u001F!\"$&'()*+,-.;=_`{}~/",
+    "origin": "http://\u001F!\"$&'()*+,-.;=_`{}~",
+    "protocol": "http:",
+    "username": "",
+    "password": "",
+    "host": "\u001F!\"$&'()*+,-.;=_`{}~",
+    "hostname": "\u001F!\"$&'()*+,-.;=_`{}~",
+    "port": "",
+    "pathname": "/",
+    "search": "",
+    "hash": ""
+  },
+  {
+    "input": "sc://\u001F!\"$&'()*+,-.;=_`{}~/",
+    "base": "about:blank",
+    "href": "sc://%1F!\"$&'()*+,-.;=_`{}~/",
     "origin": "null",
     "protocol": "sc:",
     "username": "",
     "password": "",
-    "host": "%1F!\"$&'()*+,-.;=_`{|}~",
-    "hostname": "%1F!\"$&'()*+,-.;=_`{|}~",
+    "host": "%1F!\"$&'()*+,-.;=_`{}~",
+    "hostname": "%1F!\"$&'()*+,-.;=_`{}~",
     "port": "",
     "pathname": "/",
@@ -5200 +5200 @@
     "port": "",
     "pathname": "/C%7C/",
+    "search": "",
+    "hash": ""
+  },
+  {
+    "input": "file://%43%3A",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "file://%43%7C",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "file://%43|",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "file://C%7C",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "file://%43%7C/",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "https://%43%7C/",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "asdf://%43|/",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "asdf://%43%7C/",
+    "base": "about:blank",
+    "href": "asdf://%43%7C/",
+    "origin": "null",
+    "protocol": "asdf:",
+    "username": "",
+    "password": "",
+    "host": "%43%7C",
+    "hostname": "%43%7C",
+    "port": "",
+    "pathname": "/",
     "search": "",
     "hash": ""

trunk/LayoutTests/imported/w3c/web-platform-tests/url/url-constructor-expected.txt

@@ -367 +367 @@
 PASS Parsing: <non-special://a>b> against <about:blank>
 PASS Parsing: <non-special://a^b> against <about:blank>
-PASS Parsing: <http://!"$&'()*+,-.;=_`{|}~/> against <about:blank>
-PASS Parsing: <sc://!"$&'()*+,-.;=_`{|}~/> against <about:blank>
+PASS Parsing: <http://!"$&'()*+,-.;=_`{}~/> against <about:blank>
+PASS Parsing: <sc://!"$&'()*+,-.;=_`{}~/> against <about:blank>
 PASS Parsing: <ftp://example.com%80/> against <about:blank>
 PASS Parsing: <ftp://example.com%A0/> against <about:blank>
@@ -414 +414 @@
 PASS Parsing: <file:///C%3A/> against <about:blank>
 PASS Parsing: <file:///C%7C/> against <about:blank>
+PASS Parsing: <file://%43%3A> against <about:blank>
+PASS Parsing: <file://%43%7C> against <about:blank>
+PASS Parsing: <file://%43|> against <about:blank>
+PASS Parsing: <file://C%7C> against <about:blank>
+PASS Parsing: <file://%43%7C/> against <about:blank>
+PASS Parsing: <https://%43%7C/> against <about:blank>
+PASS Parsing: <asdf://%43|/> against <about:blank>
+PASS Parsing: <asdf://%43%7C/> against <about:blank>
 PASS Parsing: <pix/submit.gif> against <file:///C:/Users/Domenic/Dropbox/GitHub/tmpvar/jsdom/test/level2/html/files/anchor.html>
 PASS Parsing: <..> against <file:///C:/>

trunk/LayoutTests/imported/w3c/web-platform-tests/url/url-origin-expected.txt

@@ -263 +263 @@
 FAIL Origin parsing: <wow:￿> against <about:blank> assert_equals: origin expected "null" but got "wow://"
 PASS Origin parsing: <http://example.com/U+d800�U+dffeU+dfff﷐﷏﷯ﷰ￾￿?U+d800�U+dffeU+dfff﷐﷏﷯ﷰ￾￿> against <about:blank>
-PASS Origin parsing: <http://!"$&'()*+,-.;=_`{|}~/> against <about:blank>
-FAIL Origin parsing: <sc://!"$&'()*+,-.;=_`{|}~/> against <about:blank> assert_equals: origin expected "null" but got "sc://%1f!\"$&'()*+,-.;=_`{|}~"
+PASS Origin parsing: <http://!"$&'()*+,-.;=_`{}~/> against <about:blank>
+FAIL Origin parsing: <sc://!"$&'()*+,-.;=_`{}~/> against <about:blank> assert_equals: origin expected "null" but got "sc://%1f!\"$&'()*+,-.;=_`{}~"
 PASS Origin parsing: <ftp://%e2%98%83> against <about:blank>
 PASS Origin parsing: <https://%e2%98%83> against <about:blank>
@@ -297 +297 @@
 PASS Origin parsing: <http://256.256.256.256.256> against <http://other.com/>
 PASS Origin parsing: <https://0x.0x.0> against <about:blank>
+FAIL Origin parsing: <asdf://%43%7C/> against <about:blank> assert_equals: origin expected "null" but got "asdf://%43%7c"
 PASS Origin parsing: <http://[1:0::]> against <http://example.net/>
 FAIL Origin parsing: <sc://ñ> against <about:blank> assert_equals: origin expected "null" but got "sc://%c3%b1"

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2021-01-26  Alex Christensen  <achristensen@webkit.org>
+
+        Forbid '|' in URL hosts
+        https://bugs.webkit.org/show_bug.cgi?id=220778
+
+        Reviewed by Youenn Fablet.
+
+        This is one of the proposed solutions to https://github.com/whatwg/url/issues/559
+        and RFC 3986 and 3987 forbid such characters, so let's try forbidding it.
+
+        * wtf/URLParser.cpp:
+        (WTF::isC0Control):
+        (WTF::isForbiddenHostCodePoint):
+
 2021-01-25  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WTF/wtf/URLParser.cpp

@@ -187 +187 @@
     ValidScheme, // 'z'
     UserInfo | Default, // '{'
-    UserInfo, // '|'
+    UserInfo | ForbiddenHost, // '|'
     UserInfo | Default, // '}'
     0, // '~'
@@ -331 +331 @@
 template<typename CharacterType> ALWAYS_INLINE static bool isSlashQuestionOrHash(CharacterType character) { return character <= '\\' && characterClassTable[character] & SlashQuestionOrHash; }
 template<typename CharacterType> ALWAYS_INLINE static bool isValidSchemeCharacter(CharacterType character) { return character <= 'z' && characterClassTable[character] & ValidScheme; }
-template<typename CharacterType> ALWAYS_INLINE static bool isForbiddenHostCodePoint(CharacterType character) { return character <= '^' && characterClassTable[character] & ForbiddenHost; }
+template<typename CharacterType> ALWAYS_INLINE static bool isForbiddenHostCodePoint(CharacterType character) { return character <= '|' && characterClassTable[character] & ForbiddenHost; }
 ALWAYS_INLINE static bool shouldPercentEncodeQueryByte(uint8_t byte, const bool& urlIsSpecial)
 {