This was changed in bug 1063281. Due to the size of the changes, a backout would be higher risk than just fixing it, which involves conditionally allowing "_" (and maybe other characters?) around here: https://hg.mozilla.org/releases/mozilla-release/annotate/63286f849ae3/security/pkix/lib/pkixnames.cpp#l905 (In reply to Anne (:annevk) from comment #12) > David, what is unclear? In step 6 a set of problematic ASCII code points is > rejected, but in general we should not assume that we can subset what names > subdomains can allocate. Oh, I see. To me, that list allows the following ASCII: control codes that are not NUL, TAB, LF, or CR; alphanumeric (no problems there); and !, ", $, &, ', (, ), *, +, ',', -, ., ;, <, =, >, ^, _, `, {, |, }, and ~. Supporting all of that punctuation seems strange to me, but I can't think of a security concern if they're used. The control codes are much more problematic. For instance, how do we display DEL? Or VT (vertical tab)? If any of those could change how the hostname displays in the urlbar, that's definitely a concern.
Bug 1136616 Comment 14 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
This was changed in bug 1063281. Due to the size of the changes, a backout would be higher risk than just fixing it, which involves conditionally allowing "_" (and maybe other characters?) around here: https://hg.mozilla.org/releases/mozilla-release/annotate/63286f849ae3/security/pkix/lib/pkixnames.cpp#l905 (In reply to Anne (:annevk) from comment #12) > Dana, what is unclear? In step 6 a set of problematic ASCII code points is > rejected, but in general we should not assume that we can subset what names > subdomains can allocate. Oh, I see. To me, that list allows the following ASCII: control codes that are not NUL, TAB, LF, or CR; alphanumeric (no problems there); and !, ", $, &, ', (, ), *, +, ',', -, ., ;, <, =, >, ^, _, `, {, |, }, and ~. Supporting all of that punctuation seems strange to me, but I can't think of a security concern if they're used. The control codes are much more problematic. For instance, how do we display DEL? Or VT (vertical tab)? If any of those could change how the hostname displays in the urlbar, that's definitely a concern.