Bug 54084 - Hostnames should cannonicalize to lowercase (to match every other browser)
Summary: Hostnames should cannonicalize to lowercase (to match every other browser)
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Eric Seidel (no email)
URL:
Keywords:
Depends on: 54318
Blocks:
  Show dependency treegraph
 
Reported: 2011-02-09 02:23 PST by Eric Seidel (no email)
Modified: 2011-02-11 15:28 PST (History)
9 users (show)

See Also:

Attachments
Patch (13.87 KB, patch)
2011-02-09 02:24 PST, Eric Seidel (no email) 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Seidel (no email) 2011-02-09 02:23:25 PST 
Hostnames should cannonicalize to lowercase (to match every other browser)
Comment 1 Eric Seidel (no email) 2011-02-09 02:24:19 PST 
Created attachment 81777 [details]
Patch
Comment 2 WebKit Commit Bot 2011-02-09 04:13:39 PST 
Comment on attachment 81777 [details]
Patch

Clearing flags on attachment: 81777

Committed r78044: <http://trac.webkit.org/changeset/78044>
Comment 3 WebKit Commit Bot 2011-02-09 04:13:43 PST 
All reviewed patches have been landed.  Closing bug.
Comment 4 Timothy Hatcher 2011-02-10 11:16:10 PST 
This caused regressions and breakage in Safari extensions. Extension URLs (based on bundle identifiers) are allowed to have only case differences. But now with this change the extension URLs conflict and no longer uniquely identify an extension.

I'd like to propose this change only apply to http, https and maybe file URLs. It seems wrong to assume lowercase is correct for all other URL schemes. Does that seem okay to you Eric?
Comment 5 Adam Barth 2011-02-10 13:17:11 PST 
Can you give an example of a Safari extension URL?

Quoting from http://www.ietf.org/rfc/rfc2396.txt

---8<---

   The URI syntax is dependent upon the scheme.  In general, absolute
   URI are written as follows:

      <scheme>:<scheme-specific-part>

   An absolute URI contains the name of the scheme being used (<scheme>)
   followed by a colon (":") and then a string (the <scheme-specific-
   part>) whose interpretation depends on the scheme.

   The URI syntax does not require that the scheme-specific-part have
   any general structure or set of semantics which is common among all
   URI.  However, a subset of URI do share a common syntax for
   representing hierarchical relationships within the namespace.  This
   "generic URI" syntax consists of a sequence of four main components:

      <scheme>://<authority><path>?<query>

   each of which, except <scheme>, may be absent from a particular URI.
   For example, some URI schemes do not allow an <authority> component,
   and others do not use a <query> component.

--->8----

In particular, the question is what sort of URI these things are.
Comment 6 Timothy Hatcher 2011-02-10 13:24:37 PST 
They are hierarchical.

safari-extension://com.apple.Safari.Test-8Y3CDS73R8/cf03fc47/test.html
Comment 7 Adam Barth 2011-02-10 15:33:32 PST 
Ok.  We can change KURL to be more selective about which schemes it canonicalizes.  However, please be aware that extensions whose authority differ only in case will not be properly isolated from each other by the web platform.  In particular, they'll inhabit the same security origin, which means they can XSS each other.  Also, they'll share persistent storage, such as localStorage.

Another note: because you've reversed the dotted authority hierarchy, there could be serious negative security interactions with with cookies and document.domain (as well as other security features that attempt to understand the DNS hierarchy).
Comment 8 Adam Barth 2011-02-10 15:34:03 PST 
+sam because there are interactions with SecurityOrigin canonicalization too.
Comment 9 Adam Roben (:aroben) 2011-02-10 15:36:45 PST 
(In reply to comment #7)
> Ok.  We can change KURL to be more selective about which schemes it canonicalizes.  However, please be aware that extensions whose authority differ only in case will not be properly isolated from each other by the web platform.  In particular, they'll inhabit the same security origin, which means they can XSS each other.  Also, they'll share persistent storage, such as localStorage.

This is good to know, and may require us to make changes in Safari.

> Another note: because you've reversed the dotted authority hierarchy, there could be serious negative security interactions with with cookies and document.domain (as well as other security features that attempt to understand the DNS hierarchy).

We're aware of that, and are using SecurityOrigin's "domain relaxation forbidden" concept to try to head off problems here. (In fact, this is what that concept was added for.)
Comment 10 Eric Seidel (no email) 2011-02-10 21:51:50 PST 
Filed bug 54271 about making a special case for safari-extension.  I'll write up a patch tomorrow.
Comment 11 Eric Seidel (no email) 2011-02-10 21:53:02 PST 
@abarth: Do we need to file bugs about the possible security issues with safari-extension?  Would you be willing to file those bugs?
Comment 12 Adam Barth 2011-02-10 22:08:29 PST 
(In reply to comment #11)
> @abarth: Do we need to file bugs about the possible security issues with safari-extension?  Would you be willing to file those bugs?

I don't know enough of the details to answer that question.  If there's a problem, the solution is also likely to be in the Safari layer rather than the WebKit layer.  I'll defer to folks who know more about these things to assess whether these issues are actually problematic.
Comment 13 Adam Roben (:aroben) 2011-02-11 07:01:46 PST 
I filed <rdar://problem/8988695> to cover the Safari issues.