There are a couple of big pieces of work here:

1) Making the "cargo vendor" story work better. rust-url has a bunch of dependencies, and you have to get them all in-tree.

2) More security review & planning. URL parsing is scary! And we'd want to ship & run it alongside the C++ one to check for places where rust-url is not fully web compatible, but there are major privacy issues in reporting back anything more than "1 failure," even for users who have explicitly opt'd in to reporting back data.

But the team is definitely working on both of these pieces and I'd hope to see it in the near future. No timeline / release number promises, though, right now :-)

It would be cool for #2 that if a difference was detected, firefox would try to test and generate a general case (or a minimal case) - substituting out sensitive information. I guess sort of like fuzzy testing...

Another question is that determining what is sensitive information is a bit complicated… But there is an option of asking the user to edit URL to find anonymous enough form of the bug trigger. Maybe after doing some basic fuzzing (like replacing runs of alphanumerics with random runs of alphanumerics of the same length, if possible).

That's a great idea. They should consider doing that even if the initial code mighg be convoluted a bit.

For some context on point 1, https://github.com/rust-lang/cargo/pull/2857

Could a fuzzer that would report discrepancies between the C++ URL parser and rust-url help with part (2)?

I thought this was already shipped. Was there some announcement in regards to this and then it didn't get shipped anyways?

Some people were talking about the patch in the bug tracker, but it never landed, as far as I know. It's still intended to eventually, but (at least when I've talked about it on here) it's been "there's a patch" not "this is in-tree".

I'm guessing because it's an absolutely crucial piece of the browser?