Closed Bug 305803 Opened 19 years ago Closed 19 years ago

sloppy URL parsing leads to confusion

Categories

(SeaMonkey :: General, defect)

Product:
SeaMonkey
Component:
General
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: mnemo, Unassigned)

Details

(Whiteboard: INVALID?) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.11) Gecko/20050728
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.11) Gecko/20050728

- Why isn't mozilla telling me about this clearly invalid URL?
- Why is mozilla showing two completely different sites for these seeming
similar URLs?

This could clearly be used for malicious purposes because if I surf to for
instance http://www.paypal.com./ then chances are that I might just think that
I'm actually viewing the PAYPAL.com site... Of course this would requiring
hacking the paypal server and fiddling with their HTTPd config but hey... 

Anyway, it's very confusing. imho URL parsing should be a little more strict. I
have no idea what kind of weird webserver/client config gives DIFFERENT sites
for these similar URLs but....

Using the same trick on CNN gives the same sites, ie for http://www.cnn.com./
and http://www.cnn.com/



Reproducible: Always

Steps to Reproduce:
1. surf to this site http://www.barbrobetalar.se./
   (NOTE THE WEIRD TRAILING DOT)

2. surf to this site http://www.barbrobetalar.se/
   (NO WEIRD TRAILING DOT)

3. wtf omg plz lol?
This is how it's supposed to work.  If you see different sites, it's just a
matter of server configuration (confusion over the Host: header).  But you're
still talking to the same server (just referenced with a fully-qualified domain
name).  For secure sites you will get a certificate name mismatch warning message.

Again, this is correct behavior.  There is nothing invalid or sloppy going on.
Whiteboard: INVALID?
Later in the evening yesterday I found out that MSIE does this too so I started
to suspect it was some kind of standard. I assume that this standard comes from
some type of w3c URL specification then, right?

I still think this is confusing to the user though, but overriding a specific
standard is probably not a good idea.

Still, if this is indeed a feature and not a bug; what is it good for? i.e. what
is the intended functionality of surfing to http://cnn.com./

It's no means obvious to me what is supposed to happen when I use this URL.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WONTFIX
In case you're still curious, the difference between "cnn.com." and "cnn.com" is the following:

The hostname "cnn.com." means the "cnn" subdomain of the "com" subdomain of the root.

The hostname "cnn.com" means the "cnn" subdomain of the "com" subdomain of the first thing in your search path that resolves (the root is always in the search path).  For example, for a typical DNS setup on the MIT campus, "cnn.com" would first look up "cnn.com.mit.edu", and only after that "cnn.com.".  Similar for any other sort of intranet-like thing.
Thanks Boris.
You need to log in before you can comment on or make changes to this bug.