On 2011-06-15 11:07, Mykyta Yevstifeyev wrote:
...
2) Section 6 says:
For example, "about:blank", "about:blan%6B" and "about:blan%6b"
are equivalent
In Gecko they are not. The string after ':' is treated as a literal
string; when looking up a way to handle the URI the second and third
URIs above are treated as unparseable by Gecko in its default
configuration. Changing this has some security implications that would
require careful auditing of not only Gecko code but some
specifications (e.g. HTML5 defines certain special-case security
behavior for about:blank that's not obviously safe to apply to the
other strings above).
The same section says:
Similarly, "about:blank%3F" is not equivalent to "about:blank?".
which I think is trying to explain by example that only unreserved
characters need to be unescaped. But that assumes an implementation of
RFC 3986 which may or may not be the case in web browsers (and is NOT
the case in Gecko, for example, for various web-compatibility
reasons). Unless there are very strong reasons for it, I would
recommend that no normalization is performed on about: URIs, period.
The point of this comment is to propose abandoning normalization of
'about' URIs because of some ad hoc behavior of an only application -
Gecko. The purpose of our draft is to give a stable specification of the
scheme and normalize all existing types of behavior with regard to
handling 'about' URIs. It will be easier for Gecko to change its
behavior rather than for other apps to do this.
...
I agree that not treating them as equivalent is a bug.
That being said, if our Mozilla friends do not want to fix this it might
be a good idea to warn readers that certain implementations fail to
properly unescape, thus it's unwise to rely on that behavior (why would
you anyway?).
Best regards, Julian
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf