> Just wanted to add that the URL parsing on Chrome's Windows version is considered to be safe and a fix will be released for Mac and Linux versions. [...] > In Chrome (Windows version), the pathname for x:https://google.com is presented as /X:/https://google.com. This approach seems secure as it addresses arbitrary redirection or JavaScript execution concerns. This behavior violates the URL spec, but even if they do extend it to Mac and Linux I don't see how it addresses the underlying problem. They can argue (and have) that a single-letter scheme should be seen as a drive letter and thus an implicit file:// url, but if you switch to a longer scheme like `xx:javascript:alert(window.origin)` you're back to the original problem.
Bug 1863622 Comment 13 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
> Just wanted to add that the URL parsing on Chrome's Windows version is considered to be safe and a fix will be released for Mac and Linux versions. [...] > In Chrome (Windows version), the pathname for x:https://google.com is presented as /X:/https://google.com. This approach seems secure as it addresses arbitrary redirection or JavaScript execution concerns. This behavior violates the URL spec, but even if they do extend it to Mac and Linux I don't see how it addresses the underlying problem. They can argue (and have) that a single-letter scheme should be seen as a drive letter and thus an implicit file:// url, but if you switch to a longer scheme like `xx:javascript:alert(window.origin)` you're back to the original problem.