Re: img issue: should we restrict the URI from Boris Zbarsky on 2008-12-02 (public-html@w3.org from December 2008)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 02 Dec 2008 10:48:07 -0500
To: Ian Hickson <ian@hixie.ch>
CC: Christian Schmidt <w3.org@chsc.dk>, HTML WG <public-html@w3.org>
Message-ID: <493558B7.8010605@mit.edu>

Ian Hickson wrote:
> On Wed, 13 Aug 2008, Christian Schmidt wrote:
>> Christian Schmidt wrote:
>>> It may be an idea to disallow the URL consisting of the empty string, 
>>> i.e. <img src="">.
>> FWIW Firefox now ignores <img src=...> when src is a reference to the 
>> containing document: https://bugzilla.mozilla.org/show_bug.cgi?id=444931
> 
> On Wed, 13 Aug 2008, Boris Zbarsky wrote:
>> No, it ignores <img src=""> when the base URI for the image node is the 
>> document URI (which isn't quite the same thing as what you said).
> 
> What Christian said appears to be more accurate:
> 
> http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%3Cbase%20href%3D%22image%22%3E%3Cimg%20src%3D%22%22%3E

Gecko doesn't allow relative URIs in @href on <html:base> (per HTML4, 
though HTML5 changes this), so this test isn't testing what it thinks 
it's testing, as far as I can see.

> I don't understand why we would define things this way though. If the 
> server wants to return different files each time, and return an image once 
> and a document another time and a style sheet a third time, why not?

Basically because:

1)  Doing that seems like an abuse of the HTTP content-negotiation
     feature (possibly not conforming to HTTP on the part of the server,
     though this is debatable).
2)  In practice no one does that.
3)  In practice sites somewhat commonly have <img src="">.  We (Gecko)
     have had 28 independent bug reports filed (with people bothering to
     create an account in the bug database, etc) about the behavior
     difference from IE here.  That's a much larger number of bug
     reports than we usually get about a given issue.  I can't tell you
     why this pattern is so common (e.g. whether some authoring
     frameworks produce it in some cases), but it seems that a number
     of web developers not only produce markup like this but notice
     the requests in their HTTP logs and file bugs about it.
4)  The performance implications on high-latency networks (e.g.
     cell-phone networks) of dealing with this sort of markup are
     not that pretty, at least in Gecko.

I should note that we did _not_ make a similar change for 
|background-image: url()| in CSS, at least in part because we've had 
many fewer reports about it (3 or 4).  I do see the whole thing as a 
hack, and would have been more strongly opposed to doing anything 
special here (and was for a long time) if not for point 3 above and the 
combination of 1 and 2...  Point 4 was just the impetus for someone 
actually writing a patch.

-Boris

Received on Tuesday, 2 December 2008 15:48:56 UTC