[lug] Netscape6/Mozilla
rm at fabula.de
rm at fabula.de
Wed Nov 14 09:46:20 MST 2001
On Wed, Nov 14, 2001 at 09:19:10AM -0700, Riggs, Rob wrote:
> You are preaching to the wrong person, my friend. I can't just go fix CNN's
> or SalomonSmithBarney's web sites. I cannot access sites, not because I am
> non-compliant, but because the sites are.
Hmm, you can't access their _https_ sites. And, in all fairness, i wouldn't
trust a server whose admin obviously doesn't understand URL semantics.
> We are dealing with this issue
> because the major browsers all treat protocol prefixed relative URLs the
> same way. That makes it a de facto standard.
Netscape and IE (what about opera?). I hope those aren't the standard
defining instances -- i know what they've done tho html in the past ;-)
> What's even more dangerous than redirecting data to a different protocol is
> rewriting a portion of a local URL to a FQDN (/cgi-bin becomes
> //www.cgi-bin.com). How many credit card numbers do you suppose have been
> posted to www.cgi-bin.com because of this misfeature? So this is obviously
> not a safety issue for Mozilla.
No. Only _iff_ the relative URL is '/cgi-bin.com' (would be weired) _and_
either gci-bin.com has (fake) certificates for the original server (highly
unlikely) or the connection would run without a server certificate -- in
that case there's no security anyway.
I don't really see how this can be fixed other than sending mail
to the sitemasters of sites with such problems. The standard is
pretty clear and makes a lot of sense and the 'de facto' standard
doesn't work.
I know this sounds pretty harsh, but if we (developers) (or the W3C)
would follow this than the sites doing it 'right' wouldn't work.
And yes, i _do_ have sites where 'http://blub' is different from
'https://blub' (in fact on a different box), so i might be a bit
biased here.
Ralf
>
>
>
> -----Original Message-----
> From: rm at fabula.de [mailto:rm at fabula.de]
> Sent: Wednesday, November 14, 2001 9:10 AM
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] Netscape6/Mozilla
>
>
> On Wed, Nov 14, 2001 at 08:41:16AM -0700, Riggs, Rob wrote:
> > I've come upon a *very* annoying defect in Mozilla/Netscape6 -- relative
> > URLs that specify the protocol (e.g. https:/cgi-bin/foo) are treated as
> > absolute URLs, and the first part of the path expanded with www. and .com.
> > (Imagine all of the traffic posted to www.cgi-bin.com.) Now, according to
> > the spec this is not legal, but it is convention.
>
> Maybe, but an awfully bad (and dangerous) one. This asumption (wrongly)
> implies that one can change protocol without changing the BASE URL.
> 'http:/something' isn't neccessarily the same as 'https:/something' --
> as a matter of they most often don't. Or, to emphasize the problem:
> what happens if you go from 'http:/blub' to 'ftp:/blub' ?
>
> > Netscape4 and IE both
> > treat them as relative URLs and many web sites use them. I'm affected
> almost
> > daily by this deficiency. The sad part is that this is one of Mozilla's
> most
> > frequent bug reports, yet they still mark it as WONTFIX.
>
> The fact that many err doesn't make the error go away ... The semantics
> of URLs/URIs are complicated enough and will definitely never work
> inbetween different protocols (http -> LDAP ???).
> I'd say: stick with the standard even so it hurts. Isn't conformance
> to the standards one of the main selling points for Linux ?
>
>
> > Because of this bug, I do have Netscape4 and Mozilla (AKA Netscape6)
> > installed on my box.
> > [...]
>
> > -Rob
> >
>
> Ralf
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list