RESOLVED FIXED 127970
Solidus stripping in DOMURL::setHostname seems wrong 
https://bugs.webkit.org/show_bug.cgi?id=127970
Summary Solidus stripping in DOMURL::setHostname seems wrong
Maciej Stachowiak
Reported 2014-01-30 17:09:56 PST
This code in setHostname (also in HTMLAnchorElement) seems dubious and is probably wrong: void DOMURL::setHostname(const String& value) { // Before setting new value: // Remove all leading U+002F SOLIDUS ("/") characters. unsigned i = 0; unsigned hostLength = value.length(); while (value[i] == '/') i++;
Attachments
Patch (3.73 KB, patch)
2021-05-25 10:33 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Timothy Gu
Comment 1 2021-05-21 22:19:10 PDT
Worth noting that setHost() doesn't do the solidus stripping. Equivalent Chromium bug is https://crbug.com/1212318
Alex Christensen
Comment 2 2021-05-24 10:25:04 PDT
This code has changed quite a bit since this bug was reported in 2014. It is now URLDecomposition::setHost which doesn't have the solidus removal. If there's a behavior problem related to this, feel free to reopen or file a new bug.
Timothy Gu
Comment 3 2021-05-24 15:04:21 PDT
This is still an issue, but it only affects setHostname(), not setHost(). I don't have permissions to reopen this bug, but consider u = new URL('http://abc/'); u.hostname = '////def'; console.log(u.href); versus u = new URL('http://abc/'); u.host = '////def'; console.log(u.href); In the first case, the resultant URL is http://def/, while in the second it is http://abc/. The code that does this has indeed moved to URLDecomposition: https://github.com/WebKit/WebKit/blob/4d78e56eb5b61d8f62844ab855e411477d031870/Source/WebCore/html/URLDecomposition.cpp#L152 Search for "removeAllLeadingSolidusCharacters".
Alexey Proskuryakov
Comment 4 2021-05-24 17:03:50 PDT
Reopening per the above comment.
Chris Dumez
Comment 5 2021-05-25 10:33:47 PDT
Created attachment 429665 [details] Patch
Chris Dumez
Comment 6 2021-05-25 11:36:42 PDT
Comment on attachment 429665 [details] Patch The issue with making this change is that I think we would stop matching other browsers.
Timothy Gu
Comment 7 2021-05-25 22:47:00 PDT
Hi Chris, contrary to the commit message, this change would actually _increase_ compatibility with the spec and Firefox. You can tell from the WPT rebaseline that it increases spec compliance, as it passes more tests than before. I am planning to make the change in Chromium as well soon, after some related changes get released first.
Chris Dumez
Comment 8 2021-05-26 07:56:07 PDT
(In reply to Timothy Gu from comment #7) > Hi Chris, contrary to the commit message, this change would actually > _increase_ compatibility with the spec and Firefox. You can tell from the > WPT rebaseline that it increases spec compliance, as it passes more tests > than before. I am planning to make the change in Chromium as well soon, > after some related changes get released first. I am not sure what you mean by increasing compatibility. Matching the spec does not improve compatibility if no browser matches the spec. As far as I can tell, NO major browser passes this particular WPT test (including the stable version of Firefox I tested). As a result, I believe the spec and WPT test may need to be updated to match browsers instead?
Alex Christensen
Comment 9 2021-05-26 09:29:30 PDT
Firefox follows the spec here but fails that test because it doesn't do anything when setting a hostname that is only solidus characters. Chrome has the same behavior as WebKit here. Because of that I don't think this is the right time for us to make this change.
Timothy Gu
Comment 10 2023-01-23 21:13:55 PST
2023 update: both Chrome and Firefox now follow the spec. Given the following, Chrome and Firefox both print "http://x/". Safari is the only one that prints "http://abc/". u = new URL('http://x/'); u.hostname = '/abc'; console.log(u.href);
Chris Dumez
Comment 11 2023-01-24 10:50:08 PST
Ok, I'll take a look.
Chris Dumez
Comment 12 2023-01-24 11:57:54 PST
Pull request: https://github.com/WebKit/WebKit/pull/9062
EWS
Comment 13 2023-01-25 09:26:32 PST
Committed 259366@main (865cbc8abfc5): <https://commits.webkit.org/259366@main> Reviewed commits have been landed. Closing PR #9062 and removing active labels.
Radar WebKit Bug Importer
Comment 14 2023-01-25 09:27:17 PST
<rdar://problem/104650674>
Note You need to log in before you can comment on or make changes to this bug.