Closed Bug 1732963 Opened 4 years ago Closed 4 years ago

Firefox doesn't open Emoji domain that chrome does

Categories

(Core :: Networking, defect, P1)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- wontfix
firefox92 --- unaffected
firefox93 --- unaffected
firefox94 --- wontfix
firefox95 --- wontfix
firefox96 --- wontfix

People

(Reporter: dveditz, Unassigned)

References

(Regression,
URL
)

Details

(Keywords: regression, sec-other)

+++ This bug was initially created as a clone of Bug #1724233 +++

See the testcases at https://www.xn--1ugz855p6kd.tk -- originally we opened a different site than Chrome for the final link, but after the fix in bug 1724233 we treat it as a malformed URL and won't open it at all. (we did fix the first part of the bug with non-ASCII in an ACE-prefixed label).

No longer regressed by: CVE-2021-43533

Did we break emoji-domains entirely? That could annoy a bunch of people who like these as clever toys. Probably no important site though.

Keywords: regression, sec-other
Regressed by: CVE-2021-43533
Whiteboard: [reporter-external] [client-bounty-form] [verif?][necko-triaged][post-critsmash-triage]
Has Regression Range: --- → yes

I think it's just that one site:

It shows up as invalid in the reference URL parser:
https://jsdom.github.io/whatwg-url/#url=aHR0cDovL3d3dy7wn5Go4oCN8J+msC50aw==&base=YWJvdXQ6Ymxhbms=

(In reply to Anne (:annevk) from bug 1724233 comment #2)

I think the emoji difference is a result of Chrome not using Nontransitional_Processing: https://bugs.chromium.org/p/chromium/issues/detail?id=694157.

Other emoji URLs pass with no issues. For example http://🙂.example.com or http://😆.com

Note that http://www.👨‍🦰.tk also fails to parse/load in safari.

Indeed, this is a question of which variety of IDNA you follow and for some reason Firefox and Safari diverged from the status quo (went from 2003 to 2008, roughly) and Chrome upheld the status quo (stuck with 2003). In my opinion we should all have stuck with 2003, even though that is not great for German users as the Eszett becomes ss (and also not great for a couple other code points but those users have been less vocal about it).

I'm inclined to close this as WONTFIX.
We currently parse both www.xn--qq8hq8f.tk and http://www.👨‍🦰.tk exactly as the jsdom reference implementation.

I agree. It's also not a security bug.

Thanks Anne!

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.