-
Notifications
You must be signed in to change notification settings - Fork 37
First stab replacing url.parse with URL constructor (fixes #215) #231
Conversation
Hehe, that's the problem :P We need a base path since we use relative URLs. |
lib/helpers.js
Outdated
if (isRelative) { | ||
urlString = `https:${urlString}`; | ||
if (missingScheme || bareHostname) { | ||
urlString = `http:${urlString}`; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This changes the previous behavior though. Before we defaulted to https
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that's an oddity I'd like to sort out:
In https://github.com/mozilla/srihash.org/blob/master/test/helpers.js#L30-L31, we expect example.com/script.js
to be completed to HTTP, but below in https://github.com/mozilla/srihash.org/blob/master/test/helpers.js#L37-L38 we autofill the protocol-relative //example.com/script.js
to HTTPS.
It's not in secureHosts.json, so why do we upgrade in the latter case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, yeah that doesn't seem right indeed. On a side note, since the input
has type="url"
, the user doesn't seem to be able to enter a protocol-relative file. At least with FF 66 that I use.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change was done in #156
So, if we trust the browsers' checks here, I think we can just drop the whole relative URLs logic (protocol-relative and schemeless).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We shouldn't trust the browser completely. We should try to parse with the URL constructor and return an error to the user interface if it throws
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems I love rebasing after lunch.
lib/helpers.js
Outdated
// Add a scheme to scheme-less URLs | ||
const isRelative = Boolean(urlString.match(/^\/\//)); | ||
// For URLs that are protocol-relative or missing it completely | ||
const missingScheme = urlString.indexOf(":") === -1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd change this to const missingScheme = !urlString.includes(':');
eff4fb8
to
d7377e4
Compare
Not sure I understand the failures for |
Naive attempt :)