Closed Bug 305803 Opened 20 years ago Closed 20 years ago

sloppy URL parsing leads to confusion

Categories

(SeaMonkey :: General, defect)

Product:
SeaMonkey
Component:
General
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: mnemo, Unassigned)

Details

(Whiteboard: INVALID?)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.11) Gecko/20050728 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.11) Gecko/20050728 - Why isn't mozilla telling me about this clearly invalid URL? - Why is mozilla showing two completely different sites for these seeming similar URLs? This could clearly be used for malicious purposes because if I surf to for instance http://www.paypal.com./ then chances are that I might just think that I'm actually viewing the PAYPAL.com site... Of course this would requiring hacking the paypal server and fiddling with their HTTPd config but hey... Anyway, it's very confusing. imho URL parsing should be a little more strict. I have no idea what kind of weird webserver/client config gives DIFFERENT sites for these similar URLs but.... Using the same trick on CNN gives the same sites, ie for http://www.cnn.com./ and http://www.cnn.com/ Reproducible: Always Steps to Reproduce: 1. surf to this site http://www.barbrobetalar.se./ (NOTE THE WEIRD TRAILING DOT) 2. surf to this site http://www.barbrobetalar.se/ (NO WEIRD TRAILING DOT) 3. wtf omg plz lol?
This is how it's supposed to work. If you see different sites, it's just a matter of server configuration (confusion over the Host: header). But you're still talking to the same server (just referenced with a fully-qualified domain name). For secure sites you will get a certificate name mismatch warning message. Again, this is correct behavior. There is nothing invalid or sloppy going on.
Whiteboard: INVALID?
Later in the evening yesterday I found out that MSIE does this too so I started to suspect it was some kind of standard. I assume that this standard comes from some type of w3c URL specification then, right? I still think this is confusing to the user though, but overriding a specific standard is probably not a good idea. Still, if this is indeed a feature and not a bug; what is it good for? i.e. what is the intended functionality of surfing to http://cnn.com./ It's no means obvious to me what is supposed to happen when I use this URL.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
In case you're still curious, the difference between "cnn.com." and "cnn.com" is the following: The hostname "cnn.com." means the "cnn" subdomain of the "com" subdomain of the root. The hostname "cnn.com" means the "cnn" subdomain of the "com" subdomain of the first thing in your search path that resolves (the root is always in the search path). For example, for a typical DNS setup on the MIT campus, "cnn.com" would first look up "cnn.com.mit.edu", and only after that "cnn.com.". Similar for any other sort of intranet-like thing.
Thanks Boris.
You need to log in before you can comment on or make changes to this bug.