The new test in the PR tests
- XHR.open()
- sendBeacon()
- substitution to URL.href
- substitution to window.location.
for bunch of bad inputs listed in https://github.com/w3c/web-platform-tests/blob/master/url/urltestdata.json

The entries with failure set to true and base set to "about:blank" are used for this test.

This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Fixable issues:

* URL.href doesn't throw on bad URLs.
* window.location.href throws a SyntaxError rather than a TypeError

Not straightforward issues:

* Many URLs considered valid by Chrome are not valid by the standard

It would be possible to make the valid URLs that can be set from Javascript be a subset of those accepted by url::Parsed. By my initial analysis, this would be safe (there might be cases where a URL was exposed to JS that couldn't actually be set from JS, which would be annoying but maybe not actively harmful?). But we don't want to have a second URL parser, so it would be limited to URLs we can tell are invalid even after they've been canonicalised.