-
Notifications
You must be signed in to change notification settings - Fork 29.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unreserved characters are escaped when making a HTTP request #33037
Comments
The The spec says the application/x-www-form-urlencoded serializer should be applied:
@himself65 I see you tagged this with confirmed-bug. Can you elaborate? |
Isn't that bug in URLSearchParams? Because in spec https://tools.ietf.org/html/rfc3986#section-2.3 we see that ~ is unreserved character and
Also in https://url.spec.whatwg.org/ we see that percent encoding must be used only for code points greater than U+007E (~) but not equal this symbol |
@Hamper https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer is the mapping for individual bytes. |
The URL parser uses the WHATWG URL Standard as the normative reference and not rfc3986 and the two definitely differ with regards to some of the escaping rules. That said, I do think this is a bug... not necessarily in our impl but in the URL Standard spec itself. Definitely warrants more investigation. Specifically, look at section https://url.spec.whatwg.org/#url-parsing and search for "query state" ... |
@bnoordhuis ... the section you reference deals specifically with |
@jasnell I think you overlooked the line that says |
Ah, yep, there it is. As I said, I don't think this is a bug in our implementation but I do think it's a bug in the spec itself because given the rules defined elsewhere in the doc /cc @annevk ... when you get a moment, could you help us resolve this issue? :-) |
@bnoordhuis but if you do const url = new URL('http://httpbin.org/anything?a=~');
url.searchParams.sort()
url.toString() we can see same bug |
Yep... there's definitely an inconsistency there... C:\Users\jasne\Projects\tmp>node
Welcome to Node.js v14.0.0.
Type ".help" for more information.
> const u = new URL('http://example.com/?a=~')
undefined
> u.toString()
'http://example.com/?a=~'
> u.searchParams.sort()
undefined
> u.toString()
'http://example.com/?a=%7E'
> |
See whatwg/url#18. |
Hmm... even with |
I guess that's something we hadn't considered yet. I'm not sure what the complexity of that would be offhand, but if someone was willing to make that a bit more detailed (probably in a fresh issue on whatwg/url) I'd be happy to help find out if there's interest in aligning on something like that. |
Issue opened. Will keep this issue open until that is resolved. Thank you for the clarifications @annevk :-) |
Does the WHATWG URL spec override the URL normalization in the HTTP spec? |
@szmarczak ... that's a total grey area lol. All of the various HTTP specifications normatively reference the IETF URL specification in some way, and most HTTP server and middle box implementations follow suit. The WHATWG URL spec, however, is what browsers / useragents generally follow and the WHATWG spec has largely emerged as the de facto standard. There's always been a bit of contention on the areas where they differ. |
I think this issue should be closed until the WHATWG issue reaches a conclusion, if indeed it ever does. Right now this issue is completely inactionable. |
I strongly disagree. It's easy to forget the issue that way and we don't want that. A more appropriate thing to do would be rather to mark this issue as blocked. |
There are almost a thousand open issues. No one is going to look at this one once it drops off the first page or two, label or no label. |
Quick update on whatwg/url#478 ... I have a general proposed fix on the table (to require that URLQueryParam stringification follow URL rules when Specifically, the proposed change is internal only, and would only impact using the This would follow URL encoding rules: u.searchParams.sort() But this would not, however... u.search = u.searchParams.toString() Assuming the change proposal does not go through at the WHATWG, then this will need to be closed without changing behavior as our priority is on following the spec and we do not want to unilaterally diverge from that. It would, however, be good to add documentation to
Except that it is not. See above. |
The WHATWG URL spec is not going to change this behavior so let's document it Signed-off-by: James M Snell <jasnell@gmail.com> Fixes: nodejs#33037
Alrighty, well, it's looking like changes to the WHATWG spec aren't going to happen, which is fine. Added a PR that documents the discrepancy. |
The WHATWG URL spec is not going to change this behavior so let's document it Signed-off-by: James M Snell <jasnell@gmail.com> Fixes: #33037 PR-URL: #33236 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Zeyu Yang <himself65@outlook.com>
The WHATWG URL spec is not going to change this behavior so let's document it Signed-off-by: James M Snell <jasnell@gmail.com> Fixes: #33037 PR-URL: #33236 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Zeyu Yang <himself65@outlook.com>
The WHATWG URL spec is not going to change this behavior so let's document it Signed-off-by: James M Snell <jasnell@gmail.com> Fixes: #33037 PR-URL: #33236 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Zeyu Yang <himself65@outlook.com>
What steps will reproduce the bug?
How often does it reproduce? Is there a required condition?
Always.
What is the expected behavior?
What do you see instead?
Additional information
sindresorhus/got#1180 (comment)
The text was updated successfully, but these errors were encountered: