Percent-encode U+007F DELETE when parsing URLs

Category: Network / Connectivity
Type: Chromium catches up
Status: Enabled by default (Chrome 86)
Intent stage: Shipped

Summary

When parsing URLs, encode the character U+007F DELETE as "%7F". This improves readability, reduces spoofing risk, makes Chrome's behavior more consistent, interoperable with other browsers and compliant with the specification.

Motivation

- U+7F is the only non-printable ASCII character that is not percent-encoded. One could rely on this for spoofing purpose. - The spec says it should be percent-encoded and WebKit and Gecko does it. - Blink already percent-encode U+7F in URLs in most cases, this change is about making it consistent by handling the same paths of non-special URLs (i.e. using schemes other than ftp, file, http, https, ws, wss) or URL fragments (i.e. #foo).

Standards & signals

Specification: https://url.spec.whatwg.org/#concept-basic-url-parser
Firefox: Positive — Shipped
Safari: Positive — Shipped
Web developers: Positive — There is an existing bug report about how percent-encoding is done for registerProtocolHandler, which is affected by the special case of U+7F.
Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=809852

View on chromestatus.com