NEW 272734
Investigate SecurityOrigin::shouldIgnoreHost() 
https://bugs.webkit.org/show_bug.cgi?id=272734
Summary Investigate SecurityOrigin::shouldIgnoreHost()
Anne van Kesteren
Reported 2024-04-16 01:23:38 PDT
In particular the way this method is used doesn't seem very sound. Stripping the host and port of data:/about:/javascript:/file: URLs and then just carrying on as if nothing happened.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-04-23 01:24:50 PDT
<rdar://problem/126907661>
Anne van Kesteren
Comment 2 2025-01-14 03:58:11 PST
These checks are the result of bug 205157 and bug 212739. I can see them working for file: URLs, but not for about: URLs. E.g., location="about://test:12/blank" stays as about://test:12/blank in the address bar, though document.URL does end up returning about:///blank. (Not sure how beneficial that is as it doesn't work as a URL anyway.) I also think Windows ports would not want this behavior as there file: URLs with hosts have significant meaning. A proper fix here would likely to make it a network error when schemes violate certain invariants we decide to care about.
Note You need to log in before you can comment on or make changes to this bug.