[lug] Netscape6/Mozilla

rm at fabula.de rm at fabula.de
Wed Nov 14 18:21:38 MST 2001 

On Wed, Nov 14, 2001 at 10:09:48AM -0700, Riggs, Rob wrote:
> No, I can't access their HTTP or HTTPS sites when they use scheme prefixed
> relative URLs. (The Mozilla bug report on this topic uses http: prefixed
> URLs in the description.) Trust is not necessarily an issue here.

Ok, i think i see the problem now (haven't yet seen such broken html).

> >> What's even more dangerous than redirecting data to a different protocol is
> >> rewriting a portion of a local URL to a FQDN (/cgi-bin becomes
> >> //www.cgi-bin.com). How many credit card numbers do you suppose have been
> >> posted to www.cgi-bin.com because of this misfeature? So this is > obviously
> >> not a safety issue for Mozilla.
> 
> > No. Only _iff_ the relative URL is '/cgi-bin.com' (would be weired) _and_
> > either gci-bin.com has (fake) certificates for the original server (highly
> > unlikely) or the connection would run without a server certificate -- in
> > that case there's no security anyway.
> 
> No... I deal with this frequently. If the URL is http:/cgi-bin/foo, Mozilla
> does, in fact, try to go to http://www.cgi-bin.com/.

But this seems to be a slightly differnt case from just interpreting quasi
relative URLs as absolute ones.  How and why does Mozilla et from
cgi-bin to cgi-bin.com? Is this the latest AI technology? :-) Adding some
arbitrary toplevel domain at the end of a hostname isn't a good idea
(hmm, thinking of it: how is your search domain set in resolve.conf ?). 

> The thing is, if the current location is in the same scheme as the URL in
> question, there is no harm in ignoring the scheme identifier and treating
> the URL as relative.


> I agree that it is broken. I agree that it is wrong. But I *do* have to visit
> sites that use this scheme and getting them to fix it is not likely
> possible.
> Until either Mozilla or the rest of the world fixes the problem, I must
> continue to use Netscape4 to visit the sites that use this type of broken
> URL.

I guess there's little you can do here -- i more and more think that
the web broke sometime during '94 ...

  Ralf 

> -Rob
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list