IDNA2008 DISALLOWED characters are permitted in URL

[GuillaumeBlanchet]

Version

v17.5.0

Platform

Linux deskt 5.13.0-28-generic #31~20.04.1-Ubuntu SMP Wed Jan 19 14:08:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Subsystem

No response

What steps will reproduce the bug?

Take any character disallowed in domain names in the list from the internet standard (RFC) here and insert it in a URL (e.g. \u0556):
$ node -i
> new URL('http://\u0556.com');

How often does it reproduce? Is there a required condition?

All the time.

What is the expected behavior?

Uncaught TypeError [ERR_INVALID_URL]: Invalid URL
at __node_internal_captureLargerStackTrace (node:internal/errors)
at new NodeError (node:internal/errors)
at onParseError (node:internal/url)
at new URL (node:internal/url) {
input: 'http://\u0556.com/',
code: 'ERR_INVALID_URL'
}

What do you see instead?

URL {
href: 'http://xn--0bb.com/',
origin: 'http://xn--0bb.com',
protocol: 'http:',
username: '',
password: '',
host: 'xn--0bb.com',
hostname: 'xn--0bb.com',
port: '',
pathname: '/',
search: '',
searchParams: URLSearchParams {},
hash: ''
}

Additional information

> new URL('http://\u0100.com');
> new URL('http://\u0102.com');
> new URL('http://\u0104.com');

and so on, produce the same behavior, violating the IDNA2008 protocol.

[aduh95]

Node.js follows the WHATWG URL spec, which does not forbids those characters it seems: https://url.spec.whatwg.org/#host-miscellaneous. This behavior is consistent with Firefox, Chromium, Safari, and Deno.

If you think this API should restrict the allowed characters, please open an issue on their repo: https://github.com/whatwg/url.

I'm going to close this now, but if you think I missed something don't hesitate to re-open or to ask more questions.