Open Bug 1369029 Opened 3 years ago Updated 2 months ago

Consider blocking requests to HTTP(S) URLs that contain both `\n` and `<` characters.


(Core :: Networking, enhancement, P3)





(Reporter: mkwst, Assigned: valentin)


(Whiteboard: [necko-active])

In the hopes of mitigating one form of dangling-markup-based exfiltration, Blink plans to block requests whose URLs contained both removable whitespace (`\n`, `\r`, `\t`) _and_ raw less-than (`<`) characters. lays out the strategy and justification in more detail, proposed patches to URL and Fetch are up for review at and respectively, and Blink's "Intent to Remove" might be helpful:

This seems like a very good idea, with clear security benefits.
I'll get started on a patch in a couple of weeks.
Assignee: nobody → valentin.gosu
Whiteboard: [necko-active]
Bulk priority update:
Priority: -- → P1
Priority: P1 → P2
Moving to p3 because no activity for at least 1 year(s).
See for more information
Priority: P2 → P3
You need to log in before you can comment on or make changes to this bug.