Summary: | Accessing form.action as property URI-encodes spaces but not curly braces | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Adam Luikart <me> | ||||||||||||
Component: | Forms | Assignee: | Alex Christensen <achristensen> | ||||||||||||
Status: | RESOLVED CONFIGURATION CHANGED | ||||||||||||||
Severity: | Normal | CC: | achristensen, annevk, ap, beidson, buildbot, commit-queue, dbates, ilatypov, rniwa, wilander | ||||||||||||
Priority: | P2 | ||||||||||||||
Version: | WebKit Nightly Build | ||||||||||||||
Hardware: | Mac | ||||||||||||||
OS: | OS X 10.11 | ||||||||||||||
See Also: | https://bugs.webkit.org/show_bug.cgi?id=116887 | ||||||||||||||
Attachments: |
|
Description
Adam Luikart
2016-04-28 15:42:05 PDT
This is quite interesting, because in a slightly different context, percent escaping curly braces caused a serious issue (bug 116887). Took me ten minutes, and a little angst that browsers would differ per place where you can put a URL, but the difference here is that bug 116887 is about the query string, which per https://url.spec.whatwg.org/#query-state should indeed not have { and } escaped. However, per https://url.spec.whatwg.org/#path-state the path uses https://url.spec.whatwg.org/#default-encode-set which does include { and }. Thank you Anne! Seems pretty clear that we should fix this then. I think of a URL as a string that needs parsing before obtaining its values. Both the encoded and the raw curly brace would unambiguously reduce to the raw curly brace after decoding the URL. I understand the advantage of the approach "accept liberally, output conservatively" in terms of the browser presenting DOM elements to Javascript, so the suggested correction makes sense to me. I see that RFC 3986, while formally calling for encoding any character outside the following characters, ALPHA / DIGIT / "-" / "." / "_" / "~" / "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" / ":" / "@" suggests that "it is sometimes better for usability to avoid percent-encoding" special characters. These two parts of the RFC look self-contradictory. As for bug 116887, I obtained the same response from Washington Post regardless of the encoding, and I interpret this as an early conservative output. Perhaps, the server did produce different results a few years back, and the conservative output of the browser on sending the request could work that around. This difference is also evident from a much simpler test case: alert(new URL("https://webkit.org/{path}/file.html")) Created attachment 279846 [details]
Patch
This first patch is extremely under-tested, probably breaks something, and isn't optimized. I'm expecting an r-, but I'm interested if you think I'm going in the right direction. Our URL parser is a mess :( Attachment 279846 [details] did not pass style-queue:
ERROR: Source/WebCore/platform/URL.cpp:300: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3]
ERROR: Source/WebCore/platform/URL.cpp:302: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3]
ERROR: Source/WebCore/ChangeLog:8: You should remove the 'No new tests' and either add and list tests, or explain why no new tests were possible. [changelog/nonewtests] [5]
Total errors found: 3 in 5 files
If any of these errors are false positives, please file a bug against check-webkit-style.
Comment on attachment 279846 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=279846&action=review > LayoutTests/fast/dom/DOMURL/parsing.html:61 > +shouldBe("breakDownURL('https://webkit.org/{path}/file.html?{query}')", "'protocol=https:, host=webkit.org, pathname=/%7Bpath%7D/file.html, search=?{query}, origin=https://webkit.org, toString=https://webkit.org/%7Bpath%7D/file.html?{query}'"); Can this also be tested with an end to end test (loading a resource with curly braces in the path)? Comment on attachment 279846 [details] Patch Attachment 279846 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/1383190 New failing tests: http/tests/misc/script-defer-after-slow-stylesheet.html fast/url/url-credentials-escaping.html fast/css/uri-token-parsing.html http/tests/security/no-popup-from-sandbox-top.html fast/loader/url-strip-cr-lf-tab.html fast/url/path.html Created attachment 279849 [details]
Archive of layout-test-results from ews102 for mac-yosemite
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews102 Port: mac-yosemite Platform: Mac OS X 10.10.5
Comment on attachment 279846 [details] Patch Attachment 279846 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/1383192 New failing tests: http/tests/misc/script-defer-after-slow-stylesheet.html fast/url/url-credentials-escaping.html fast/css/uri-token-parsing.html http/tests/security/no-popup-from-sandbox-top.html fast/loader/url-strip-cr-lf-tab.html fast/url/path.html Created attachment 279850 [details]
Archive of layout-test-results from ews105 for mac-yosemite-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews105 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Comment on attachment 279846 [details] Patch Attachment 279846 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/1383204 New failing tests: http/tests/misc/script-defer-after-slow-stylesheet.html fast/url/url-credentials-escaping.html fast/css/uri-token-parsing.html http/tests/security/no-popup-from-sandbox-top.html fast/loader/url-strip-cr-lf-tab.html fast/url/path.html Created attachment 279856 [details]
Archive of layout-test-results from ews117 for mac-yosemite
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117 Port: mac-yosemite Platform: Mac OS X 10.10.5
Comment on attachment 279846 [details] Patch Attachment 279846 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/1383209 New failing tests: http/tests/misc/script-defer-after-slow-stylesheet.html fast/url/url-credentials-escaping.html fast/css/uri-token-parsing.html mathml/opentype/horizontal-munderover.html http/tests/security/no-popup-from-sandbox-top.html fast/loader/url-strip-cr-lf-tab.html fast/url/path.html Created attachment 279857 [details]
Archive of layout-test-results from ews122 for ios-simulator-wk2
The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews122 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.4
Per https://jsdom.github.io/whatwg-url/#url=aHR0cHM6Ly93ZWJraXQub3JnL3twYXRofS9maWxlLmh0bWw=&base=YWJvdXQ6Ymxhbms= we are now correct for this input. |