IETF Logo Mail Archive

Re: Last Call: <draft-holsten-about-uri-scheme-06.txt> (The 'about' URI scheme) to Proposed Standard

Boris Zbarsky <bzbarsky@MIT.EDU> Fri, 17 June 2011 16:53 UTC

Return-Path: <bzbarsky@mit.edu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD08011E8210 for <ietf@ietfa.amsl.com>; Fri, 17 Jun 2011 09:53:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.800, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, J_CHICKENPOX_16=0.6, J_CHICKENPOX_55=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1-rrC+Pe4tYz for <ietf@ietfa.amsl.com>; Fri, 17 Jun 2011 09:53:56 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (DMZ-MAILSEC-SCANNER-3.MIT.EDU [18.9.25.14]) by ietfa.amsl.com (Postfix) with ESMTP id 0841C11E820E for <ietf@ietf.org>; Fri, 17 Jun 2011 09:53:54 -0700 (PDT)
X-AuditID: 1209190e-b7c39ae000000a8c-72-4dfb868d998f
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id C3.B1.02700.D868BFD4; Fri, 17 Jun 2011 12:53:33 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id p5HGrrLR026700; Fri, 17 Jun 2011 12:53:53 -0400
Received: from Boris-Zbarskys-MacBook-Pro-2.local (pool-71-184-125-56.bstnma.fios.verizon.net [71.184.125.56]) (authenticated bits=0) (User authenticated as bzbarsky@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id p5HGrpYm027980 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Fri, 17 Jun 2011 12:53:53 -0400 (EDT)
Message-ID: <4DFB869F.4050401@mit.edu>
Date: Fri, 17 Jun 2011 12:53:51 -0400
From: Boris Zbarsky <bzbarsky@MIT.EDU>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: Lachlan Hunt <lachlan.hunt@lachy.id.au>
Subject: Re: Last Call: <draft-holsten-about-uri-scheme-06.txt> (The 'about' URI scheme) to Proposed Standard
References: <4D3A64FF.1020000@mit.edu> <4DF87637.2000301@gmail.com> <4DF8D6C6.5080005@mit.edu> <4DF9C5EE.9010703@lachy.id.au> <4DFAD1F6.70203@gmail.com> <4DFAD8CD.2030402@mit.edu> <4DFB39A6.5050105@lachy.id.au>
In-Reply-To: <4DFB39A6.5050105@lachy.id.au>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrFIsWRmVeSWpSXmKPExsUixG6nrtvb9tvXoPM/l8WzjfNZLNbN/Mbs wOSxZMlPJo95hzqZA5iiuGxSUnMyy1KL9O0SuDKWH/vCXNAkWTF1yQa2BsZ7Ql2MnBwSAiYS d/49YoWwxSQu3FvP1sXIxSEksI9RYsuFaawQzgZGiTOfDjFBOK+YJA4/n8cO0sIroCbRtKGV EcRmEVCV6D8zGWwUG1D8/ulGJhBbVKBQYsb3mYwQ9YISJ2c+YQGxRQS0JR697QKrYRZQlvgy 5w0biC0skC/Rsh7mjEuMEqt3TARbxgnU8Hv6e2aIBjOJrq1djBC2vMT2t3OYJzAKzkKyYxaS sllIyhYwMq9ilE3JrdLNTczMKU5N1i1OTszLSy3SNdbLzSzRS00p3cQICmJOSb4djF8PKh1i FOBgVOLhXVDw21eINbGsuDL3EKMkB5OSKK96E1CILyk/pTIjsTgjvqg0J7X4EKMEB7OSCO95 M6Acb0piZVVqUT5MSpqDRUmcd6akuq+QQHpiSWp2ampBahFMVoaDQ0mCVw0YrUKCRanpqRVp mTklCGkmDk6Q4TxAwwNAaniLCxJzizPTIfKnGBWlxHldQBICIImM0jy4XliSecUoDvSKMK8K SBUPMEHBdb8CGswENPjfr18gg0sSEVJSDYxCmfH3M+wbL3n5nThzjHOHybTgk+m7r4hm7y/u +cJ/5dHyB40Z2+ft0P3L5RC+rqOr4sfdhxvOmTg9ehHw9anbtd7z5k+vWvyOn7K3/KiHZ/X0 26Ud2xYUh9VWqE7f/fNJxNLqTtd5M07MFIljqT0UM/erteP+OZPWVS+Lk6lkWDP7heMt8XRb JZbijERDLeai4kQA60Iraw0DAAA=
X-Mailman-Approved-At: Mon, 20 Jun 2011 07:34:06 -0700
Cc: IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2011 16:53:56 -0000

On 6/17/11 7:25 AM, Lachlan Hunt wrote:
> On 2011-06-17 06:32, Boris Zbarsky wrote:
>> On 6/17/11 12:03 AM, Mykyta Yevstifeyev wrote:
>>>>> not
>>>>> clearly compatible with the web security model,
>>> How?
>>
>> "about:blank" in particular is magic with respect to security on the web
>> in various ways (e.g. it can end up same-origin with http:// pages). So
>> I think we do need to specify exactly when this magic security behavior
>> takes place.
>
> The spec is not meant to imply that the special same-origin behaviour
> for about:blank is to be inherited by any other about URI, even if other
> URIs also return a blank document. Perhaps, I need to make that clearer
> in the spec.

Yes, but is it meant to be inherited by "about:blan%6b" ?  That's the 
issue that needs sorting out in terms of normalization, for example.

The current spec draft explicitly says that "about:blan%6b" and 
"about:blank" are equivalent.

I just did some testing on that, since it looks like it won't happen 
otherwise.  You can see the testcase I used at the end of the mail. 
Results are:

Gecko all versions: URI not loaded at all
Chrome 11 stable: document URI is still shown as escaped,
                   security magic is done
Chrome 14 dev: same as Chrome 11 stable
WebKit tip: same as Chrome 11 stable
Safari 5: same as Chrome 11 stable
Opera 11.11: URI not loaded at all (or at least the subframe's load
              event doesn't fire).
IE9: Loads error page in the subframe and alerts an access denied error.
      This is the same in stadards, IE8, IE7, and quirks modes (though
      the textual representation of the error varies).

I didn't bother testing older Opera versions; if someone cares please 
feel free to do so.

Note that some browsers have behavior that differs between iframes and 
the url bar.  For the url bar, I observe the following behaviors for 
"about:blan%6b":

Firefox all versions: alert saying the URI is invalid and cannot be
                       loaded.
Chrome 11: URL bar shows "about:blank", content area shows a blank
            document.
Chrome 14: redirects to chrome://blank which then gives an "invalid
            URI" error page
WebKit tip: URL bar shows "about:blan%6b", content area shows a blank
             document.
Safari 5: As WebKit tip.
Opera 11.11: Redirects to "opera:blank" which gives an "Invalid address"
              error page.
IE9: URL bar shows "about:blan%6b" and an error page is shown.

So it could be argued that Chrome 11, WebKit tip, and Safari 5 do what 
the spec currently calls for.  No other browser does.  And Chrome 14 is 
inconsistent in how it handles this URI depending on the context it's 
encountered in.

-Boris

Testcase:

<!DOCTYPE HTML>
<body>
   <iframe id="iframe"></iframe>
   <script>
     var i;
     onload = function() {
       i = document.getElementById("iframe");
       i.onload = function() {
         try {
           alert(this.contentDocument.documentURI);
           alert(this.contentDocument.documentElement);
         } catch(e) { alert(e); }
       }
       i.src = "about:blan%6b";
     }
   </script>
</body>

v2.23.0 | Report a Bug | By Email