Skip to content

/ rust-url

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Public urlutils and check type in set_scheme #83

Merged
merged 1 commit into from Feb 26, 2015
Merged

Public urlutils and check type in set_scheme #83

merged 1 commit into from Feb 26, 2015

Conversation

@valenting
Copy link
Collaborator

valenting commented Feb 24, 2015

Make urlutils public and disallow changing the scheme type to an incompatible type
@valenting
Make urlutils public and disallow changing the scheme type to an inco…
Loading status checks…
77f4bbd 
…mpatible type
@SimonSapin
Copy link
Member

SimonSapin commented Feb 24, 2015

I’m not sure about disallowing the changes. In the test case below, no two of the browsers tested are interoperable but they all do change the scheme:

http://software.hixie.ch/utilities/js/live-dom-viewer/?saved=3428

<a href="mailto:a@b.net">
<script>
var a = document.body.firstChild; 
console.log(a.href);
a.protocol = "http";
console.log(a.href)
</script>

In Chromium:

log: mailto:a@b.net
log: http://a@b.net/

In old Opera (Presto):

log: mailto:a@b.net
log: http:///a@b.net

In Firefox:

log: mailto:a@b.net
log: http://software.hixie.ch/utilities/js/live-dom-viewer/a@b.net
@valenting
Copy link
Collaborator Author

valenting commented Feb 24, 2015

One of the ssues we've had in Firefox is setters that make the URL go into an invalid state.
For example:

#[test]
fn change_protocol() {
    let mut url = Url::parse("file:///[:::_1]/abc.html").unwrap(); // valid file path, but invalid hostname
    {
        let mut wrapper = UrlUtilsWrapper { url: &mut url, parser: &UrlParser::new()};
        wrapper.set_scheme("http");
    }
    let result = Url::parse(&url.serialize()).unwrap().serialize();
}

There are probably hundreds of these examples. Sometimes harmless, sometimes a big security risk. IMO the only way of safely changing the scheme is enforcing they the same type.

PS. there are things we don't allow in Firefox. Like this:

var url = new URL("http://example.com");
url.protocol = "data"; // this does nothing
@SimonSapin
Copy link
Member

SimonSapin commented Feb 24, 2015

I’ve filed https://www.w3.org/Bugs/Public/show_bug.cgi?id=28091 on the spec about this.
@SimonSapin
Copy link
Member

SimonSapin commented Feb 24, 2015

Ok, in the spec, a "relative flag" is maintained separately from the scheme. So in this test case, you’d end up with an URL in the http scheme but that is still a non-relative URL. What do you think?
@valenting
Copy link
Collaborator Author

valenting commented Feb 24, 2015

We could also reparse the url after setting the scheme, and roll it back if that fails.
I think that would work.
@SimonSapin
Copy link
Member

SimonSapin commented Feb 24, 2015

Ideally we’d do what the spec says, and if that’s not good we should convince Anne to change the spec.
@SimonSapin SimonSapin mentioned this pull request Feb 26, 2015
Open
@SimonSapin
Copy link
Member

SimonSapin commented Feb 26, 2015

Alright, let's take this for now. I filed #85 about this issue, if we want to revsisit later.
SimonSapin added a commit that referenced this pull request Feb 26, 2015
@SimonSapin
Merge pull request #83 from valenting/master
Loading status checks…
d65fdce 
Public urlutils and check type in set_scheme
@SimonSapin SimonSapin merged commit d65fdce into servo:master Feb 26, 2015
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
@valenting @SimonSapin
You can’t perform that action at this time.