Link header parsing is too loose

RESOLVED FIXED in mozilla8

Status

()

Core
DOM
RESOLVED FIXED
14 years ago
6 years ago

People

(Reporter: bz, Assigned: Julian Reschke)

Tracking

(Blocks: 1 bug)

Trunk
mozilla8
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [inbound], URL)

Attachments

(1 attachment)

See also 

http://www.hixie.ch/tests/adhoc/http/link/007.html
http://www.hixie.ch/tests/adhoc/http/link/008.html

Basically, we are parsing things that aren't really Link headers as Link headers.
(Assignee)

Comment 1

8 years ago
Furthermore, it appears that Firefox ignores the "anchor" parameter (see http://tools.ietf.org/html/rfc2068#section-19.6.2.4).

What it should do is resolve the anchor (when given) against the request-uri, and only continue processing it if the resolved URI identifies the same resource.
> What it should do is resolve the anchor (when given) against the request-uri,
> and only continue processing it if the resolved URI identifies the same
> resource.

Of course the RFC doesn't actually say any of that.  I'm quite happy to implement what it does say, if I could figure out what that is; it says how the field MAY be used, but not how one MUST process it (or heck, SHOULD or MAY process, for that matter; processing is completely undefined).

In any case, that should probably be a separate bug.
(Assignee)

Comment 3

8 years ago
(In reply to comment #2)
> > What it should do is resolve the anchor (when given) against the request-uri,
> > and only continue processing it if the resolved URI identifies the same
> > resource.
> 
> Of course the RFC doesn't actually say any of that.  I'm quite happy to
> implement what it does say, if I could figure out what that is; it says how the
> field MAY be used, but not how one MUST process it (or heck, SHOULD or MAY
> process, for that matter; processing is completely undefined).
> 
> In any case, that should probably be a separate bug.

1) Just because there's no SHOULD or MUST there doesn't mean it's normative. That being said I agree that RFC 2068 is not very clear about it, and hopefully draft-nottingham-http-link-header can be made clearer.

2) Will open a new bug.
Assignee: general → nobody
QA Contact: ian → general
(Assignee)

Comment 4

6 years ago
(In reply to comment #0)
> See also 
> 
> http://www.hixie.ch/tests/adhoc/http/link/007.html

"my" test: 

  http://greenbytes.de/tech/tc/httplink/#simplecssreversed

Opera passes here so I think FF should align. I will work on this.

> http://www.hixie.ch/tests/adhoc/http/link/008.html

I believe this will be fixed once the fix for bug 672079 is in.

> Basically, we are parsing things that aren't really Link headers as Link
> headers.
(Assignee)

Comment 5

6 years ago
> ...
> > http://www.hixie.ch/tests/adhoc/http/link/008.html
> 
> I believe this will be fixed once the fix for bug 672079 is in.
> ...

Is is. (So what's left to fix for this bug are 

  http://www.hixie.ch/tests/adhoc/http/link/007.html

  http://greenbytes.de/tech/tc/httplink/#simplecssreversed
)
(Assignee)

Comment 6

6 years ago
Created attachment 550366 [details] [diff] [review]
proposed patch

This changes the header field parser so that the <target> is only accepted when coming first (this is required by the ABNF and actually enforced in Opera).

This fixes 

 http://greenbytes.de/tech/tc/httplink/#simplecssreversed

and 

  http://www.hixie.ch/tests/adhoc/http/link/007.html

(where http://www.hixie.ch/tests/adhoc/http/link/008.html is already fixed)
Attachment #550366 - Flags: review?(bzbarsky)
Comment on attachment 550366 [details] [diff] [review]
proposed patch

r=me
Attachment #550366 - Flags: review?(bzbarsky) → review+
Keywords: checkin-needed
Assignee: nobody → julian.reschke

Updated

6 years ago
Keywords: checkin-needed
Whiteboard: [inbound]
http://hg.mozilla.org/mozilla-central/rev/0cff49ed75df
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
You need to log in before you can comment on or make changes to this bug.