forked from whatwg/url
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathurl.bs
3376 lines (2519 loc) · 123 KB
/
url.bs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<pre class=metadata>
Group: WHATWG
H1: URL
Shortname: url
Text Macro: TWITTER urlstandard
Abstract: The URL Standard defines URLs, domains, IP addresses, the <code>application/x-www-form-urlencoded</code> format, and their API.
Translation: ja https://triple-underscore.github.io/URL-ja.html
</pre>
<h2 id=goals class=no-num>Goals</h2>
<p>The URL standard takes the following approach towards making URLs fully interoperable:
<ul>
<li><p>Align RFC 3986 and RFC 3987 with contemporary implementations and
obsolete them in the process. (E.g., spaces, other "illegal" code points,
query encoding, equality, canonicalization, are all concepts not entirely
shared, or defined.) URL parsing needs to become as solid as HTML parsing.
[[RFC3986]]
[[RFC3987]]
<li><p>Standardize on the term URL. URI and IRI are just confusing. In
practice a single algorithm is used for both so keeping them distinct is
not helping anyone. URL also easily wins the
<a href="https://trends.google.com/trends/explore?q=url,uri">search result popularity contest</a>.
<li><p>Supplanting <a href="https://tools.ietf.org/html/rfc6454#section-4">Origin of a URI [sic]</a>.
[[RFC6454]]
<li><p>Define URL's existing JavaScript API in full detail and add
enhancements to make it easier to work with. Add a new <code><a interface>URL</a></code>
object as well for URL manipulation without usage of HTML elements. (Useful
for JavaScript worker environments.)
<li><p>Ensure the combination of parser, serializer, and API guarantee idempotence. For example, a
non-failure result of a parse-then-serialize operation will not change with any further
parse-then-serialize operations applied to it. Similarly, manipulating a non-failure result through
the API will not change from applying any number of serialize-then-parse operations to it.
</ul>
<p class=note>As the editors learn more about the subject matter the goals
might increase in scope somewhat.
<h2 id=infrastructure>Infrastructure</h2>
<p>This specification depends on the Infra Standard. [[!INFRA]]
<p>Some terms used in this specification are defined in the following standards and specifications:
<ul class=brief>
<li>DOM Standard [[!DOM]]
<li>Encoding Standard [[!ENCODING]]
<li>File API [[!FILEAPI]]
<li>HTML Standard [[!HTML]]
<li>Media Source Extensions [[!MEDIA-SOURCE]]
<li>Unicode IDNA Compatibility Processing [[!UTS46]]
<li>Web IDL [[!WEBIDL]]
</ul>
<hr>
<p>To <dfn>serialize an integer</dfn>, represent it as the shortest possible decimal
number.
<h3 id=writing>Writing</h3>
<p>A <dfn oldids=syntax-violation>validation error</dfn> indicates a mismatch between input and
valid input. User agents, especially conformance checkers, are encouraged to report them somewhere.
<div class="note no-backref">
<p>A <a>validation error</a> does not mean that the parser terminates. Termination of a parser is
always stated explicitly, e.g., through a return statement.
<p>It is useful to signal <a>validation errors</a> as error-handling can be non-intuitive, legacy
user agents might not implement correct error-handling, and the intent of what is written might be
unclear to other developers.
</div>
<h3 id=parsers>Parsers</h3>
<p>The <dfn>EOF code point</dfn> is a conceptual code point that signifies the end of a
string or code point stream.
<p>Within a parser algorithm that uses a <var>pointer</var> variable, <dfn>c</dfn>
references the code point the <var>pointer</var> variable points to.
<p>Within a string-based parser algorithm that uses a <var>pointer</var> variable,
<dfn>remaining</dfn> references the substring after <var>pointer</var> in the string
being processed.
<p class=example id=example-12672b6a>If "<code>mailto:username@example</code>" is a <a>string</a>
being processed and <var>pointer</var> points to @, <a>c</a> is U+0040 (@) and <a>remaining</a> is
"<code>example</code>".
<h3 id=percent-encoded-bytes>Percent-encoded bytes</h3>
<p>A <dfn>percent-encoded byte</dfn> is U+0025 (%), followed by two <a>ASCII hex digits</a>.
Sequences of <a lt="percent-encoded byte">percent-encoded bytes</a>, after conversion to bytes,
should not cause <a>UTF-8 decode without BOM or fail</a> to return failure.
<p>To <dfn export>percent encode</dfn> a <var>byte</var> into a <a>percent-encoded byte</a>, return
a <a>string</a> consisting of U+0025 (%), followed by two <a>ASCII upper hex digits</a> representing
<var>byte</var>.
<p>To <dfn export>percent decode</dfn> a <a>byte sequence</a> <var>input</var>, run these steps:
<p class=warning>Using anything but <a>UTF-8 decode without BOM</a> when the <var>input</var>
contains bytes that are not <a>ASCII bytes</a> might be insecure and is not recommended.
<ol>
<li><p>Let <var>output</var> be an empty <a>byte sequence</a>.
<li>
<p>For each byte <var>byte</var> in <var>input</var>:
<ol>
<li><p>If <var>byte</var> is not 0x25 (%), then append <var>byte</var> to <var>output</var>.
<li><p>Otherwise, if <var>byte</var> is 0x25 (%) and the next two bytes after
<var>byte</var> in <var>input</var> are not in the ranges 0x30 (0) to 0x39 (9),
0x41 (A) to 0x46 (F), and 0x61 (a) to 0x66 (f), all inclusive, append <var>byte</var> to
<var>output</var>.
<li>
<p>Otherwise:
<ol>
<li><p>Let <var>bytePoint</var> be the two bytes after <var>byte</var> in <var>input</var>,
<a lt="UTF-8 decode without BOM">decoded</a>, and then interpreted as hexadecimal number.
<!-- We should have a better definition for this. -->
<li><p>Append a byte whose value is <var>bytePoint</var> to
<var>output</var>.
<li><p>Skip the next two bytes in <var>input</var>.
</ol>
</ol>
<li><p>Return <var>output</var>.
</ol>
<p>To <dfn export>string percent decode</dfn> a string <var>input</var>, run these steps:
<ol>
<li><p>Let <var>bytes</var> be the <a>UTF-8 encoding</a> of <var>input</var>.
<li><p>Return the <a>percent decoding</a> of <var>bytes</var>.
</ol>
<hr>
<!-- the escape sets are minimal as escaping can lead to problems; we might
be able to escape more here but only if implementers are willing and
there's an upside
note that query and application/x-www-form-urlencoded use their own
local sets -->
<p>The <dfn oldids=simple-encode-set>C0 control percent-encode set</dfn> are the <a>C0 controls</a>
and all <a>code points</a> greater than U+007E (~).
<p>The <dfn>fragment percent-encode set</dfn> is the <a>C0 control percent-encode set</a> and
U+0020 SPACE, U+0022 ("), U+003C (<), U+003E (>), and U+0060 (`).
<p>The <dfn oldids=default-encode-set>path percent-encode set</dfn> is the
<a>fragment percent-encode set</a> and U+0023 (#), U+003F (?), U+007B ({), and U+007D (}).
<p>The <dfn oldids=userinfo-encode-set>userinfo percent-encode set</dfn> is the
<a>path percent-encode set</a> and U+002F (/), U+003A (:), U+003B (;), U+003D (=), U+0040 (@),
U+005B ([), U+005C (\), U+005D (]), U+005E (^), and U+007C (|).
<p>To <dfn>UTF-8 percent encode</dfn> a <var>codePoint</var>, using a <var>percentEncodeSet</var>,
run these steps:
<ol>
<li><p>If <var>codePoint</var> is not in <var>percentEncodeSet</var>, then return
<var>codePoint</var>.
<li><p>Let <var>bytes</var> be the result of running <a>UTF-8 encode</a> on
<var>codePoint</var>.
<li><p><a>Percent encode</a> each byte in <var>bytes</var>, and then return the results
concatenated, in the same order.
</ol>
<h2 id=security-considerations>Security considerations</h2>
<p>The security of a <a for=/>URL</a> is a function of its environment. Care is to be
taken when rendering, interpreting, and passing <a for=/>URLs</a> around.
<p>When rendering and allocating new <a for=/>URLs</a> "spoofing" needs to be considered. An attack
whereby one <a for=/>host</a> or <a for=/>URL</a> can be confused for another. For instance,
consider how 1/l/I, m/rn/rri, 0/O, and а/a can all appear eerily similar. Or worse, consider how
U+202A LEFT-TO-RIGHT EMBEDDING and similar <a>code points</a> are invisible. [[UTR36]]
<p>When passing a <a for=/>URL</a> from party <var>A</var> to <var>B</var>, both need to
carefully consider what is happening. <var>A</var> might end up leaking data it does not
want to leak. <var>B</var> might receive input it did not expect and take an action that
harms the user. In particular, <var>B</var> should never trust <var>A</var>, as at some
point <a for=/>URLs</a> from <var>A</var> can come from untrusted sources.
<h2 id="hosts-(domains-and-ip-addresses)">Hosts (domains and IP addresses)</h2>
<p>At a high level, a <a for=/>host</a>, <a>valid host string</a>, <a>host parser</a>, and
<a>host serializer</a> relate as follows:
<ul>
<li><p>The <a>host parser</a> takes an arbitrary string and returns either failure or a
<a for=/>host</a>.
<li><p>A <a for=/>host</a> can be seen as the in-memory representation.
<li><p>A <a>valid host string</a> defines what input would not trigger a <a>validation error</a>
or failure when given to the <a>host parser</a>. I.e., input that would be considered conforming or
valid.
<li><p>The <a>host serializer</a> takes a <a for=/>host</a> and returns a string. (If that string
is then <a lt="host parser">parsed</a>, the result will <a for=host>equal</a> the <a for=/>host</a>
that was <a lt="host serializer">serialized</a>.)
</ul>
<h3 id=host-representation>Host representation</h3>
<p>A <dfn export id=concept-host>host</dfn> is a <a>domain</a>, an
<a>IPv4 address</a>, an <a>IPv6 address</a>, an <a>opaque host</a>, or an <a>empty host</a>.
Typically a <a for=/>host</a> serves as a network address, but it is sometimes used as opaque
identifier in <a for=/>URLs</a> where a network address is not necessary.
<p class=note>The RFCs referenced in the paragraphs below are for informative purposes only. They
have no influence on <a for=/>host</a> writing, parsing, and serialization. Unless stated otherwise
in the sections that follow.
<p>A <dfn export id=concept-domain>domain</dfn> is an <a>ASCII string</a> that identifies a realm
within a network.
[[RFC1034]]
<p class=note>The <code>example.com</code> and <code>example.com.</code> <a for=/>domains</a> are
not equivalent and typically treated as distinct.
<p>An <dfn export id=concept-ipv4>IPv4 address</dfn> is a 32-bit unsigned integer that identifies a
network address.
[[RFC791]]
<p>An <dfn export id=concept-ipv6>IPv6 address</dfn> is a 128-bit unsigned integer that identifies a
network address. For the purposes of this standard it is represented as a <a for=/>list</a> of eight
16-bit unsigned integers, also known as
<dfn export lt="IPv6 piece" id=concept-ipv6-piece>IPv6 pieces</dfn>.
[[RFC4291]]
<p class="note">Support for <code><zone_id></code> is
<a href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=27234#c2">intentionally omitted</a>.
<p>An <dfn export>opaque host</dfn> is a non-empty <a>ASCII string</a> holding data that can be used
for further processing.
<p>An <dfn export>empty host</dfn> is the empty string.
<h3 id=host-miscellaneous>Host miscellaneous</h3>
<p>A <dfn export>forbidden host code point</dfn> is U+0000 NULL, U+0009 TAB, U+000A LF, U+000D CR,
U+0020 SPACE, U+0023 (#), U+0025 (%), U+002F (/), U+003A (:), U+003F (?), U+0040 (@), U+005B ([),
U+005C (\), or U+005D (]).
<p>A <a for=/>host</a>'s <dfn for=host export>public suffix</dfn> is the portion of a
<a for=/>host</a> which is included on the <cite>Public Suffix List</cite>. To obtain
<var>host</var>'s <a for=host>public suffix</a>, run these steps: [[!PSL]]
<ol>
<li><p>If <var>host</var> is not a <a>domain</a>, then return null.
<li><p>Return the <a for=host>public suffix</a> obtained by executing the
<a href="https://publicsuffix.org/list/">algorithm</a> defined by the Public Suffix List on
<var>host</var>. [[!PSL]].
</ol>
<p>A <a for=/>host</a>'s <dfn for=host export>registrable domain</dfn> is a <a>domain</a> formed by
the most specific public suffix, along with the domain label immediately preceeding it, if any. To
obtain <var>host</var>'s <a for=host>registrable domain</a>, run these steps:
<ol>
<li><p>If <var>host</var>'s <a for=host>public suffix</a> is null or <var>host</var>'s
<a for=host>public suffix</a> <a for=host>equals</a> <var>host</var>, then return null.
<li><p>Return the <a for=host>registrable domain</a> obtained by executing the
<a href="https://publicsuffix.org/list/">algorithm</a> defined by the Public Suffix List on
<var>host</var>. [[!PSL]]
</ol>
<div class=example id=example-host-psl>
<table>
<tr>
<th>Host input
<th>Public suffix
<th>Registrable domain
<tr>
<td><code>com</code>
<td><code>com</code>
<td><i>null</i>
<tr>
<td><code>example.com</code>
<td><code>com</code>
<td><code>example.com</code>
<tr>
<td><code>www.example.com</code>
<td><code>com</code>
<td><code>example.com</code>
<tr>
<td><code>sub.www.example.com</code>
<td><code>com</code>
<td><code>example.com</code>
<tr>
<td><code>EXAMPLE.COM</code>
<td><code>com</code>
<td><code>example.com</code>
<tr>
<td><code>github.io</code>
<td><code>github.io</code>
<td><i>null</i>
<tr>
<td><code>whatwg.github.io</code>
<td><code>github.io</code>
<td><code>whatwg.github.io</code>
<tr>
<td><code>إختبار</code>
<td><code>xn-kgbechtv</code>
<td><i>null</i>
<tr>
<td><code>example.إختبار</code>
<td><code>xn-kgbechtv</code>
<td><code>example.xn-kgbechtv</code>
<tr>
<td><code>sub.example.إختبار</code>
<td><code>xn-kgbechtv</code>
<td><code>example.xn-kgbechtv</code>
</table>
</div>
<p>Two <a for=/>hosts</a>, <var>A</var> and <var>B</var> are said to be
<dfn for=host export>same site</dfn> with each other if either of the following statements are true:
<ul class=brief>
<li><p><var>A</var> <a for=host>equals</a> <var>B</var> and <var>A</var>'s
<a for=host>registrable domain</a> is non-null.
<li><p><var>A</var>'s <a for=host>registrable domain</a> is <var>B</var>'s
<a for=host>registrable domain</a> and is non-null.
</ul>
<div class=example id=example-same-site>
<p>Assuming that <code>suffix.example</code> is a <a for=host>public suffix</a> and that
<code>example.com</code> is not:
<ul>
<li><p><code>example.com</code>, <code>sub.example.com</code>, <code>other.example.com</code>,
<code>sub.sub.example.com</code>, and <code>sub.other.example.com</code> are all <a>same site</a>
with each other (and themselves), as their <a for=host>registrable domains</a> are
<code>example.com</code>.
<li><p><code>registrable.suffix.example</code>, <code>sub.registrable.suffix.example</code>,
<code>other.registrable.suffix.example</code>, <code>sub.sub.registrable.suffix.example</code>,
and <code>sub.other.registrable.suffix.example</code> are all <a>same site</a> with each other
(and themselves), as their <a for=host>registrable domains</a> are
<code>registrable.suffix.example</code>.
<li><p><code>example.com</code> and <code>registrable.suffix.example</code> are not
<a>same site</a> with each other, as their <a for=host>registrable domains</a> differ.
<li><p><code>suffix.example</code> is not <a>same site</a> with <code>suffix.example</code>, as
it is a <a for=host>public suffix</a>, and therefore has a null
<a for=host>registrable domain</a>.
</ul>
</div>
<p class=warning>Specifications should prefer the <a for=/>origin</a> concept for security
decisions. The notion of "<a for=host>public suffix</a>", "<a for=host>registrable domain</a>",
and "<a>same site</a>" cannot be relied-upon to provide a hard security boundary, as the public
suffix list will diverge from client to client. Specifications which ignore this advice are
encouraged to carefully consider whether URLs' schemes ought to be incorporated into any decision
made based upon whether or not two <a for=/>hosts</a> are <a>same site</a>. HTML's <a>same
origin-domain</a> concept is a reasonable example of this consideration in practice.
<h3 id=idna>IDNA</h3>
<p>The <dfn id=concept-domain-to-ascii>domain to ASCII</dfn> algorithm, given a <a>string</a>
<var>domain</var> and optionally a boolean <var>beStrict</var>, runs these steps:
<ol>
<li><p>If <var>beStrict</var> is not given, set it to false.
<li><p>Let <var>result</var> be the result of running <a abstract-op lt=ToASCII>Unicode ToASCII</a>
with <i>domain_name</i> set to <var>domain</var>, <i>UseSTD3ASCIIRules</i> set to
<var>beStrict</var>, <i>CheckHyphens</i> set to false, <i>CheckBidi</i> set to true,
<i>CheckJoiners</i> set to true, <i>Transitional_Processing</i> set to false,
and <i>VerifyDnsLength</i> set to <var>beStrict</var>.
<li><p>If <var>result</var> is a failure value, <a>validation error</a>, return failure.
<li><p>Return <var>result</var>.
</ol>
<p>The <dfn id=concept-domain-to-unicode>domain to Unicode</dfn> algorithm, given a <a>domain</a>
<var>domain</var>, runs these steps:
<ol>
<li><p>Let <var>result</var> be the result of running
<a abstract-op lt=ToUnicode>Unicode ToUnicode</a> with <i>domain_name</i> set to <var>domain</var>,
<i>CheckHyphens</i> set to false, <i>CheckBidi</i> set to true, <i>CheckJoiners</i> set to true,
<i>UseSTD3ASCIIRules</i> set to false, and <i>Transitional_Processing</i> set to false.
<li><p>Signify <a>validation errors</a> for any returned errors, and then, return
<var>result</var>.
</ol>
<h3 id=host-writing oldids=host-syntax>Host writing</h3>
<p>A <dfn export oldids=syntax-host>valid host string</dfn> must be a <a>valid domain string</a>, a
<a>valid IPv4-address string</a>, or: U+005B ([), followed by a
<a>valid IPv6-address string</a>, followed by U+005D (]).
<p>A <var>domain</var> is a <dfn>valid domain</dfn> if these steps return success:
<ol>
<li><p>Let <var>result</var> be the result of running <a>domain to ASCII</a> with <var>domain</var>
and true.
<li><p>If <var>result</var> is failure, then return failure.
<li><p>Set <var>result</var> to the result of running
<a abstract-op lt=ToUnicode>Unicode ToUnicode</a> with <i>domain_name</i> set to <var>result</var>,
<i>CheckHyphens</i> set to false, <i>CheckBidi</i> set to true, <i>CheckJoiners</i> set to true,
<i>UseSTD3ASCIIRules</i> set to true, and <i>Transitional_Processing</i> set to false.
<li><p>If <var>result</var> contains any errors, return failure.
<li><p>Return success.
</ol>
<p class=XXX>Ideally we define this in terms of a sequence of code points that make up a
<a>valid domain</a> rather than through a whack-a-mole:
<a href=https://github.com/whatwg/url/issues/245>issue 245</a>.
<p>A <dfn export oldids=syntax-host-domain>valid domain string</dfn> must be a string that is a
<a>valid domain</a>.
<p>A <dfn export oldids=syntax-host-ipv4>valid IPv4-address string</dfn> must be four sequences of
up to three <a>ASCII digits</a> per sequence, each representing a decimal number no greater than
255, and separated from each other by U+002E (.).
<p>A <dfn export oldids=syntax-host-ipv6>valid IPv6-address string</dfn> is defined in the
<a href="https://tools.ietf.org/html/rfc4291#section-2.2">"Text Representation of Addresses" chapter of IP Version 6 Addressing Architecture</a>.
[[!RFC4291]]
<!-- https://tools.ietf.org/html/rfc5952 updates that RFC, but it seems as
far as what developers can do we should be liberal
XXX should we define the format inline instead just like STD 66? -->
<p>A <dfn export>valid opaque-host string</dfn> must be one or more <a>URL units</a> or: U+005B ([),
followed by a <a>valid IPv6-address string</a>, followed by U+005D (]).
<p class="note no-backref">This is not part of the definition of <a>valid host string</a> as it
requires context to be distinguished.
<h3 id=host-parsing>Host parsing</h3>
<p>The <dfn export id=concept-host-parser lt="host parser|host parsing">host parser</dfn> takes a
string <var>input</var> with an optional boolean <var>isNotSpecial</var>, and then runs these steps:
<ol>
<li><p>If <var>isNotSpecial</var> is not given, then set <var>isNotSpecial</var> to false.
<li>
<p>If <var>input</var> starts with U+005B ([), then:
<ol>
<li><p>If <var>input</var> does not end with U+005D (]), <a>validation error</a>, return failure.
<li><p>Return the result of <a lt="IPv6 parser">IPv6 parsing</a> <var>input</var> with its
leading U+005B ([) and trailing U+005D (]) removed.
</ol>
<li><p>If <var>isNotSpecial</var> is true, then return the result of
<a lt="opaque-host parser">opaque-host parsing</a> <var>input</var>.
<li>
<p>Let <var>domain</var> be the result of running <a>UTF-8 decode without BOM</a> on the
<a>string percent decoding</a> of <var>input</var>.
<p class="note no-backref">Alternatively <a>UTF-8 decode without BOM or fail</a> can be used,
coupled with an early return for failure, as <a>domain to ASCII</a> fails on
U+FFFD REPLACEMENT CHARACTER.
<li><p>Let <var>asciiDomain</var> be the result of running
<a>domain to ASCII</a> on <var>domain</var>.
<li><p>If <var>asciiDomain</var> is failure, <a>validation error</a>, return failure.
<li><p>If <var>asciiDomain</var> contains a <a>forbidden host code point</a>,
<a>validation error</a>, return failure.
<li><p>Let <var>ipv4Host</var> be the result of <a lt="IPv4 parser">IPv4 parsing</a>
<var>asciiDomain</var>.
<li><p>If <var>ipv4Host</var> is an <a>IPv4 address</a> or failure, return
<var>ipv4Host</var>.
<li><p>Return <var>asciiDomain</var>.
</ol>
<p>The <dfn>IPv4 number parser</dfn> takes a string <var>input</var> and a
<var>validationErrorFlag</var> pointer, and then runs these steps:
<ol>
<li><p>Let <var>R</var> be 10.
<li>
<p>If <var>input</var> contains at least two code points and the first two code points are either
"<code>0x</code>" or "<code>0X</code>", then:
<ol>
<li><p>Set <var>validationErrorFlag</var>.
<li><p>Remove the first two code points from <var>input</var>.
<li><p>Set <var>R</var> to 16.
</ol>
<li>
<p>Otherwise, if <var>input</var> contains at least two code points and the first code point is
U+0030 (0), then:
<!-- Needs to be at least two code points. Otherwise "0" as input fails to parse. -->
<ol>
<li><p>Set <var>validationErrorFlag</var>.
<li><p>Remove the first code point from <var>input</var>.
<li><p>Set <var>R</var> to 8.
</ol>
<li><p>If <var>input</var> is the empty string, then return zero.
<!-- 0x/0X is an IPv4 number apparently -->
<li><p>If <var>input</var> contains a code point that is not a radix-<var>R</var> digit, then
return failure.
<!-- There is no need to set validationErrorFlag here since it will be used.
XXX radix-R digit, hahaha, that's not a thing -->
<li><p>Return the mathematical integer value that is represented by <var>input</var> in
radix-<var>R</var> notation, using <a>ASCII hex digits</a> for digits with values 0
through 15.
<!-- XXX well, you know, it works for ECMAScript, kinda -->
</ol>
<hr>
<p>The <dfn id=concept-ipv4-parser>IPv4 parser</dfn> takes a string <var>input</var> and then runs
these steps:
<ol>
<li><p>Let <var>validationErrorFlag</var> be unset.
<li><p>Let <var>parts</var> be <var>input</var> split on U+002E (.).
<li>
<p>If the last item in <var>parts</var> is the empty string, then:
<ol>
<li><p>Set <var>validationErrorFlag</var>.
<li><p>If <var>parts</var> has more than one item, then remove the last item from
<var>parts</var>.
<!-- Since the IPv4 parser is not to be invoked directly the input cannot be the empty string,
but if it somehow is this conditional makes sure we can keep going. -->
</ol>
<li><p>If <var>parts</var> has more than four items, return <var>input</var>.
<li><p>Let <var>numbers</var> be the empty list.
<li>
<p>For each <var>part</var> in <var>parts</var>:
<ol>
<li>
<p>If <var>part</var> is the empty string, return <var>input</var>.
<p class="example no-backref" id=example-c2afe535><code>0..0x300</code> is a
<a>domain</a>, not an <a>IPv4 address</a>.
<li><p>Let <var>n</var> be the result of <a lt="IPv4 number parser">parsing</a>
<var>part</var> using <var>validationErrorFlag</var>.
<li><p>If <var>n</var> is failure, return <var>input</var>.
<li><p>Append <var>n</var> to <var>numbers</var>.
</ol>
<li><p>If <var>validationErrorFlag</var> is set, <a>validation error</a>.
<li><p>If any item in <var>numbers</var> is greater than 255, <a>validation error</a>.
<li><p>If any but the last item in <var>numbers</var> is greater than 255, return
failure.
<li><p>If the last item in <var>numbers</var> is greater than or equal to
256<sup>(5 − the number of items in <var>numbers</var>)</sup>, <a>validation error</a>,
return failure.
<li><p>Let <var>ipv4</var> be the last item in <var>numbers</var>.
<li><p>Remove the last item from <var>numbers</var>.
<li><p>Let <var>counter</var> be zero.
<li>
<p>For each <var>n</var> in <var>numbers</var>:
<ol>
<li><p>Increment <var>ipv4</var> by <var>n</var> ×
256<sup>(3 − <var>counter</var>)</sup>.
<li><p>Increment <var>counter</var> by 1.
</ol>
<li><p>Return <var>ipv4</var>.
</ol>
<hr>
<p>The <dfn id=concept-ipv6-parser>IPv6 parser</dfn> takes a string <var>input</var> and
then runs these steps:
<ol>
<li><p>Let <var>address</var> be a new <a>IPv6 address</a> whose <a>IPv6 pieces</a> are all 0.
<li><p>Let <var>pieceIndex</var> be 0.
<li><p>Let <var>compress</var> be null.
<li><p>Let <var>pointer</var> be a pointer into <var>input</var>, initially 0 (pointing to the
first code point).
<li>
<p>If <a>c</a> is U+003A (:), then:
<ol>
<li><p>If <a>remaining</a> does not start with U+003A (:), <a>validation error</a>, return
failure.
<li><p>Increase <var>pointer</var> by 2.
<li><p>Increase <var>pieceIndex</var> by 1 and then set <var>compress</var> to
<var>pieceIndex</var>.
</ol>
<li>
<p>While <a>c</a> is not the <a>EOF code point</a>:
<ol>
<li><p>If <var>pieceIndex</var> is 8, <a>validation error</a>, return failure.
<li>
<p>If <a>c</a> is U+003A (:), then:
<ol>
<li><p>If <var>compress</var> is non-null, <a>validation error</a>, return failure.
<li>Increase <var>pointer</var> and <var>pieceIndex</var> by 1, set <var>compress</var> to
<var>pieceIndex</var>, and then <a for=iteration>continue</a>.
</ol>
<li><p>Let <var>value</var> and <var>length</var> be 0.
<li><p>While <var>length</var> is less than 4 and <a>c</a> is an <a>ASCII hex digit</a>, set
<var>value</var> to <var>value</var> × 0x10 + <a>c</a> interpreted as hexadecimal number,
and increase <var>pointer</var> and <var>length</var> by 1.
<li>
<p>If <a>c</a> is U+002E (.), then:
<ol>
<li><p>If <var>length</var> is 0, <a>validation error</a>, return failure.
<li><p>Decrease <var>pointer</var> by <var>length</var>.
<li><p>If <var>pieceIndex</var> is greater than 6, <a>validation error</a>, return failure.
<li><p>Let <var>numbersSeen</var> be 0.
<li>
<p>While <a>c</a> is not the <a>EOF code point</a>:
<ol>
<li><p>Let <var>ipv4Piece</var> be null.
<li>
<p>If <var>numbersSeen</var> is greater than 0, then:
<ol>
<li><p>If <a>c</a> is a U+002E (.) and <var>numbersSeen</var> is less than 4, then increase
<var>pointer</var> by 1.
<li>Otherwise, <a>validation error</a>, return failure.
</ol>
<li><p>If <a>c</a> is not an <a>ASCII digit</a>, <a>validation error</a>, return failure.
<!-- prevent the empty string -->
<li>
<p>While <a>c</a> is an <a>ASCII digit</a>:
<ol>
<li><p>Let <var>number</var> be <a>c</a> interpreted as decimal number.
<li>
<p>If <var>ipv4Piece</var> is null, then set <var>ipv4Piece</var> to <var>number</var>.
<p>Otherwise, if <var>ipv4Piece</var> is 0, <a>validation error</a>, return failure.
<p>Otherwise, set <var>ipv4Piece</var> to <var>ipv4Piece</var> × 10 +
<var>number</var>.
<li><p>If <var>ipv4Piece</var> is greater than 255, <a>validation error</a>, return
failure.
<li><p>Increase <var>pointer</var> by 1.
</ol>
<li><p>Set <var>address</var>[<var>pieceIndex</var>] to
<var>address</var>[<var>pieceIndex</var>] × 0x100 + <var>ipv4Piece</var>.
<li><p>Increase <var>numbersSeen</var> by 1.
<li><p>If <var>numbersSeen</var> is 2 or 4, then increase <var>pieceIndex</var> by 1.
</ol>
<li><p>If <var>numbersSeen</var> is not 4, <a>validation error</a>, return failure.
<li><p><a for=iteration>Break</a>.
</ol>
<li>
<p>Otherwise, if <a>c</a> is U+003A (:):
<ol>
<li><p>Increase <var>pointer</var> by 1.
<li><p>If <a>c</a> is the <a>EOF code point</a>, <a>validation error</a>, return failure.
</ol>
<li><p>Otherwise, if <a>c</a> is not the <a>EOF code point</a>, <a>validation error</a>, return
failure.
<li><p>Set <var>address</var>[<var>pieceIndex</var>] to <var>value</var>.
<li><p>Increase <var>pieceIndex</var> by 1.
</ol>
<li>
<p>If <var>compress</var> is non-null, then:
<ol>
<li><p>Let <var>swaps</var> be <var>pieceIndex</var> − <var>compress</var>.
<li><p>Set <var>pieceIndex</var> to 7.
<li><p>While <var>pieceIndex</var> is not 0 and <var>swaps</var> is greater than 0, swap
<var>address</var>[<var>pieceIndex</var>] with
<var>address</var>[<var>compress</var> + <var>swaps</var> − 1], and then decrease both
<var>pieceIndex</var> and <var>swaps</var> by 1.
</ol>
<li><p>Otherwise, if <var>compress</var> is null and <var>pieceIndex</var> is not 8,
<a>validation error</a>, return failure.
<li><p>Return <var>address</var>.
</ol>
<hr>
<p>The <dfn export id=concept-opaque-host-parser>opaque-host parser</dfn> takes a string
<var>input</var>, and then runs these steps:
<ol>
<li><p>If <var>input</var> contains a <a>forbidden host code point</a> excluding U+0025 (%),
<a>validation error</a>, return failure.
<li><p>Let <var>output</var> be the empty string.
<li><p>For each code point in <var>input</var>, <a>UTF-8 percent encode</a> it using the
<a>C0 control percent-encode set</a>, and append the result to <var>output</var>.
<li><p>Return <var>output</var>.
</ol>
<h3 id=host-serializing>Host serializing</h3>
<p>The <dfn id=concept-host-serializer lt="host serializer">host serializer</dfn> takes a
<a for=/>host</a> <var>host</var> and then runs these steps:
<ol>
<li><p>If <var>host</var> is an <a>IPv4 address</a>, return the result of
running the <a>IPv4 serializer</a> on <var>host</var>.
<li><p>Otherwise, if <var>host</var> is an <a>IPv6 address</a>, return U+005B ([), followed by the
result of running the <a>IPv6 serializer</a> on <var>host</var>, followed by U+005D (]).
<li><p>Otherwise, <var>host</var> is a <a>domain</a>, <a>opaque host</a>, or <a>empty host</a>,
return <var>host</var>.
</ol>
The <dfn id=concept-ipv4-serializer>IPv4 serializer</dfn> takes an
<a>IPv4 address</a> <var>address</var> and then runs these steps:
<ol>
<li><p>Let <var>output</var> be the empty string.
<li><p>Let <var>n</var> be the value of <var>address</var>.
<li>
<p><a for=set>For each</a> <var>i</var> in the range 1 to 4, inclusive:
<ol>
<li><p>Prepend <var>n</var> % 256, <a lt="serialize an integer">serialized</a>, to
<var>output</var>.
<li><p>If <var>i</var> is not 4, then prepend U+002E (.) to <var>output</var>.
<li><p>Set <var>n</var> to floor(<var>n</var> / 256).
</ol>
<li><p>Return <var>output</var>.
</ol>
<p>The <dfn id=concept-ipv6-serializer>IPv6 serializer</dfn> takes an
<a>IPv6 address</a> <var>address</var> and then runs these steps:
<ol>
<li><p>Let <var>output</var> be the empty string.
<li>
<p>Let <var>compress</var> be an index to the first <a>IPv6 piece</a> in the first longest
sequences of <var>address</var>'s <a>IPv6 pieces</a> that are 0.
<p class=example id=example-e2b3492e>In <code>0:f:0:0:f:f:0:0</code> it would point to
the second 0.
<li><p>If there is no sequence of <var>address</var>'s <a>IPv6 pieces</a> that are 0 that is
longer than 1, then set <var>compress</var> to null.
<li><p>Let <var>ignore0</var> be false.
<li>
<p><a for=set>For each</a> <var>pieceIndex</var> in the range 0 to 7, inclusive:
<ol>
<li><p>If <var>ignore0</var> is true and <var>address</var>[<var>pieceIndex</var>] is 0, then
<a for=iteration>continue</a>.
<li><p>Otherwise, if <var>ignore0</var> is true, set <var>ignore0</var> to false.
<li>
<p>If <var>compress</var> is <var>pieceIndex</var>, then:
<ol>
<li><p>Let <var>separator</var> be "<code>::</code>" if <var>pieceIndex</var> is 0, and
U+003A (:) otherwise.
<li><p>Append <var>separator</var> to <var>output</var>.
<li><p>Set <var>ignore0</var> to true and <a for=iteration>continue</a>.
</ol>
<li><p>Append <var>address</var>[<var>pieceIndex</var>], represented as the shortest possible
lowercase hexadecimal number, to <var>output</var>.
<li><p>If <var>pieceIndex</var> is not 7, then append U+003A (:) to <var>output</var>.
</ol>
<li><p>Return <var>output</var>.
</ol>
<p class=note>This algorithm requires the recommendation from
A Recommendation for IPv6 Address Text Representation.
[[RFC5952]]
<!-- Safari/Gecko/Opera do not normalize IPv6. Chrome does. This algorithm
follows Chrome because we normalize domains too. -->
<h3 id=host-equivalence>Host equivalence</h3>
To determine whether a <a for=/>host</a> <var>A</var>
<dfn export for=host id=concept-host-equals lt=equal>equals</dfn> <var>B</var>, return true if
<var>A</var> is <var>B</var>, and false otherwise.
<p class=XXX>Certificate comparison requires a host equivalence check that ignores the
trailing dot of a domain (if any). However, those hosts have also various other facets
enforced, such as DNS length, that are not enforced here, as URLs do not enforce them. If
anyone has a good suggestion for how to bring these two closer together, or what a good
unified model would be, please file an issue.
<h2 id=urls>URLs</h2>
<!-- History behind URL as term:
https://lists.w3.org/Archives/Public/uri/2012Oct/0080.html -->
<p>At a high level, a <a for=/>URL</a>, <a>valid URL string</a>, <a>URL parser</a>, and
<a>URL serializer</a> relate as follows:
<ul>
<li><p>The <a>URL parser</a> takes an arbitrary string and returns either failure or a
<a for=/>URL</a>.
<li><p>A <a for=/>URL</a> can be seen as the in-memory representation.
<li><p>A <a>valid URL string</a> defines what input would not trigger a <a>validation error</a> or
failure when given to the <a>URL parser</a>. I.e., input that would be considered conforming or
valid.
<li><p>The <a>URL serializer</a> takes a <a for=/>URL</a> and returns an <a>ASCII string</a>. (If
that string is then <a lt="URL parser">parsed</a>, the result will <a for=url>equal</a> the <a
for=/>URL</a> that was <a lt="URL serializer">serialized</a>.)
</ul>
<div class=example id=example-url-parsing>
<table>
<tr>
<th>Input
<th>Base
<th>Valid
<th>Output
<tr>
<td><code>https:example.org</code>
<td>
<td>❌
<td><code>https://example.org/</code>
<tr>
<td><code>https://////example.com///</code>
<td>
<td>❌
<td><code>https://example.com///</code>
<tr>
<td><code>https://example.com/././foo</code>
<td>
<td>✅
<td><code>https://example.com/foo</code>
<tr>
<td><code>hello:world</code>
<td><code>https://example.com/</code>
<td>✅
<td><code>hello:world</code>
<tr>
<td><code>https:example.org</code>
<td><code>https://example.com/</code>
<td>❌
<td><code>https://example.com/example.org</code>
<tr>
<td><code>\example\..\demo/.\</code>
<td><code>https://example.com/</code>
<td>❌
<td><code>https://example.com/demo/</code>
<tr>
<td><code>example</code>
<td><code>https://example.com/demo</code>
<td>✅
<td><code>https://example.com/example</code>
<tr>
<td><code>file:///C|/demo</code>
<td>
<td>❌
<td><code>file:///C:/demo</code>
<tr>
<td><code>..</code>
<td><code>file:///C:/demo</code>
<td>✅
<td><code>file:///C:/</code>
<tr>
<td><code>file://loc%61lhost/</code>
<td>
<td>✅
<td><code>file:///</code>
<tr>