[lug] Netscape6/Mozilla

rm at fabula.de rm at fabula.de
Wed Nov 14 09:46:20 MST 2001 

On Wed, Nov 14, 2001 at 09:19:10AM -0700, Riggs, Rob wrote:
> You are preaching to the wrong person, my friend. I can't just go fix CNN's
> or SalomonSmithBarney's web sites. I cannot access sites, not because I am
> non-compliant, but because the sites are. 

Hmm, you can't access their  _https_ sites. And, in all fairness, i wouldn't
trust a server whose admin obviously doesn't understand URL semantics.

>                                           We are dealing with this issue
> because the major browsers all treat protocol prefixed relative URLs the
> same way. That makes it a de facto standard.

Netscape and IE (what about opera?). I hope those aren't the standard
defining instances -- i know what they've done tho html in the past ;-)

> What's even more dangerous than redirecting data to a different protocol is
> rewriting a portion of a local URL to a FQDN (/cgi-bin becomes
> //www.cgi-bin.com). How many credit card numbers do you suppose have been
> posted to www.cgi-bin.com because of this misfeature? So this is obviously
> not a safety issue for Mozilla.

No. Only _iff_ the relative URL is '/cgi-bin.com' (would be weired) _and_
either gci-bin.com has (fake) certificates for the original server (highly
unlikely) or the connection would run without a server certificate -- in
that case there's no security anyway.

I don't really see how this can be fixed other than sending mail
to the sitemasters of sites with such problems. The standard is
pretty clear and makes a lot of sense and the 'de facto' standard
doesn't work. 
I know this sounds pretty harsh, but if we (developers) (or the W3C)
would follow this than the sites doing it 'right' wouldn't work.
And yes, i _do_ have sites where 'http://blub' is different from
'https://blub' (in fact on a different box), so  i might be a bit
biased here.

 Ralf


> 
> 
> 
> -----Original Message-----
> From: rm at fabula.de [mailto:rm at fabula.de]
> Sent: Wednesday, November 14, 2001 9:10 AM
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] Netscape6/Mozilla
> 
> 
> On Wed, Nov 14, 2001 at 08:41:16AM -0700, Riggs, Rob wrote:
> > I've come upon a *very* annoying defect in Mozilla/Netscape6 -- relative
> > URLs that specify the protocol (e.g. https:/cgi-bin/foo) are treated as
> > absolute URLs, and the first part of the path expanded with www. and .com.
> > (Imagine all of the traffic posted to www.cgi-bin.com.) Now, according to
> > the spec this is not legal, but it is convention. 
> 
> Maybe, but an awfully bad (and dangerous) one. This asumption (wrongly)
> implies that one can change protocol without changing the BASE URL.
> 'http:/something' isn't neccessarily the same as 'https:/something' --
> as a matter of they most often don't. Or, to emphasize the problem:
> what happens if you go from 'http:/blub' to 'ftp:/blub' ?
> 
> > Netscape4 and IE both
> > treat them as relative URLs and many web sites use them. I'm affected
> almost
> > daily by this deficiency. The sad part is that this is one of Mozilla's
> most
> > frequent bug reports, yet they still mark it as WONTFIX.
> 
> The fact that many err doesn't make the error go away ... The semantics
> of URLs/URIs are complicated enough and will definitely never work 
> inbetween different protocols (http -> LDAP ???). 
> I'd say: stick with the standard even so it hurts. Isn't conformance
> to the standards one of the main selling points for Linux ?
> 
> 
> > Because of this bug, I do have Netscape4 and Mozilla (AKA Netscape6)
> > installed on my box. 
> > [...]
> 
> > -Rob
> > 
> 
>    Ralf
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list