- From: ☻Mike Samuel <msamuel@google.com>
- Date: Fri, 27 Jun 2014 13:56:57 -0400
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: uri@w3.org
On Fri, Jun 27, 2014 at 12:55 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
> will differ regarding to when it is done (if at all). Likewise, ".." is
> only special during the relative->absolute conversion, so normalizing the
> %2E after relative parsing is going to result in a ".." segment.
I think this is the part I was missing: that resolution is a separate
operation from absolution (?).
In that case, among the libraries, only Java's normalize() is borken.
It advertises
"""
If a ".." segment is preceded by a non-".." segment then both of these
segments are removed. This step is repeated until it is no longer
applicable.
"""
Browsers sending non-absolute URIs for HTTP/HTTPS seems problematic.
RFC 7230 says:
"""
request-target = origin-form / absolute-form / authority-form /
asterisk-form
"""
and those non-terminals are defined thus:
"""
absolute-form = absolute-URI
...
asterisk-form = "*"
...
authority-form = authority
...
origin-form = absolute-path [ "?" query ]
"""
Conflating absolute and non-absolute paths could have some security
consequences, since the semantics of cookies depend on them, but
cookie path restrictions are not widely used. I don't recall whether
similarly named cookies on different paths mask one another, but fewer
cookies rarely mean greater privileges.
Received on Friday, 27 June 2014 17:57:25 UTC