Re: Draft minutes of 18-October-2005 TAG Telcon

In the minutes, Roy Fielding tries to reproduce the test case and says
that Safari does not send the extra "../" path segments. I also tried
this test and got different results from Roy.

Using Safari 1.3.1 (v312.3.1) on Mac OS X Version 10.3.9 Build 7W98, I
typed "http://localhost/foo/../../../" into the address bar. Safari
automatically changed this to "http://localhost/../". On the server
side, I received:

GET /../ HTTP/1.1
Host: localhost
Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)
AppleWebKit/312.5.1 (KHTML, like Gecko) Safari/312.3.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en

It doesn't seem to matter how many extra "../" path segments I type
in, Safari always sends just the one. According to the Software Update
utility, all the software on my iBook is up to date.

Both Firefox and IE, produced the request Roy Fielding described. Only
Safari sent the extra "../" path segment.


The web-calculus is the union of REST and capability-based security:

Name your trusted sites to distinguish them from phishing sites.

Received on Wednesday, 19 October 2005 01:06:22 UTC