Skip to content

/ servo

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement checks on Location setters #23670

Closed
wants to merge 6 commits into from
+27 −37
Closed

Implement checks on Location setters #23670

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
9845249
only allow http/https protocols
braddunbar Jun 29, 2019
3c8df69
host or hostname: abort if url cannot be a base
braddunbar Jun 30, 2019
97e967c
port: abort if url cannot have username/password/port
braddunbar Jun 30, 2019
3f2abcc
pathname: terminate if cannot-be-a-base
braddunbar Jun 30, 2019
6c31813
remove failure expectations
braddunbar Jul 1, 2019
05f7547
link to cannot have a username password spec
braddunbar Jul 1, 2019
File filter...
Filter file types
Jump to…
Jump to file
Failed to load files.

Always

Just for now

Next

only allow http/https protocols

  • Loading branch information
@braddunbar
braddunbar committed Jun 30, 2019
Verified
This commit was signed with a verified signature.
braddunbar Brad Dunbar
GPG key ID: C32E3CC9B201C719 Learn about signing commits
commit 98452495dd63a121e8e6d14386a26c0b628a52e8
6 components/script/dom/location.rs
View file
Open in desktop
@@ -217,7 +217,11 @@ impl LocationMethods for Location {
// https://html.spec.whatwg.org/multipage/#dom-location-protocol
fn SetProtocol(&self, value: USVString) -> ErrorResult {
self.check_same_origin_domain()?;
self.set_url_component(value, UrlHelper::SetProtocol);
// If copyURL's scheme is not an HTTP(S) scheme, then terminate these steps.
let scheme = value.split(':').next().unwrap();
if scheme.eq_ignore_ascii_case("http") || scheme.eq_ignore_ascii_case("https") {

This comment has been minimized.

Sign in to view
Copy link
@gterzian

gterzian Jul 1, 2019

Member

The spec contains this note:

Because the URL parser ignores multiple consecutive colons, providing a value of "https:" (or even "https::::") is the same as providing a value of "https".

Does this allow for multiple consecutive colons?

If this is currently not tested in the existing tests, you could also consider adding such a testcase.

This comment has been minimized.

Sign in to view
Copy link
@braddunbar

braddunbar Jul 1, 2019

Author

Ok, I'll write some tests!
self.set_url_component(value, UrlHelper::SetProtocol);
}
Ok(())
}

16 ...html/browsers/history/the-location-interface/location-protocol-setter-non-broken.html.ini
View file
Open in desktop
@@ -17,19 +17,3 @@

[Set data URL frame location.protocol to http+x]
expected: FAIL

[Set HTTP URL frame location.protocol to gopher]
expected: FAIL

[Set HTTP URL frame location.protocol to http+x]
expected: FAIL

[Set HTTP URL frame location.protocol to ftp]
expected: FAIL

[Set HTTP URL frame location.protocol to data]
expected: FAIL

[Set HTTP URL frame location.protocol to x]
expected: FAIL

ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.