[lug] Netscape6/Mozilla

[Riggs, Rob]

> Hmm, you can't access their  _https_ sites. And, in all fairness, i
wouldn't
> trust a server whose admin obviously doesn't understand URL semantics.

No, I can't access their HTTP or HTTPS sites when they use scheme prefixed
relative URLs. (The Mozilla bug report on this topic uses http: prefixed
URLs in the description.) Trust is not necessarily an issue here.

>> What's even more dangerous than redirecting data to a different protocol
is
>> rewriting a portion of a local URL to a FQDN (/cgi-bin becomes
>> //www.cgi-bin.com). How many credit card numbers do you suppose have been
>> posted to www.cgi-bin.com because of this misfeature? So this is
obviously
>> not a safety issue for Mozilla.

> No. Only _iff_ the relative URL is '/cgi-bin.com' (would be weired) _and_
> either gci-bin.com has (fake) certificates for the original server (highly
> unlikely) or the connection would run without a server certificate -- in
> that case there's no security anyway.

No... I deal with this frequently. If the URL is http:/cgi-bin/foo, Mozilla
does, in fact, try to go to http://www.cgi-bin.com/.

The thing is, if the current location is in the same scheme as the URL in
question, there is no harm in ignoring the scheme identifier and treating
the URL as relative.

I agree that it is broken. I agree that it is wrong. But I *do* have to
visit
sites that use this scheme and getting them to fix it is not likely
possible.
Until either Mozilla or the rest of the world fixes the problem, I must
continue to use Netscape4 to visit the sites that use this type of broken
URL.

-Rob