[rt-users] https bug

Dan Riley dsr at mail.lns.cornell.edu
Thu Apr 25 06:14:37 EDT 2002


Smylers <smylers at gbdirect.co.uk> writes:
> Yesterday Dan Riley wrote:
> > Relative URLs, including //example.com/rt, /rt and ../rt, have been in
> > every URL/URI standard I know of since RFC 1630 (Berners-Lee, June
> > 1994).  The only browser I know of that got any of them wrong was the
> > original NeXTStep browser T.B-L wrote at CERN ...

I guess I should have mentioned that there have been URI/URL standards
since that supersede RFC 1630 (I probably also should have noted that
RFC 1630 is an "informational" RFC, not an IETF standard).

> Brief testing yesterday (by coincidence, and nothing to do with 'RT')
> uncovered what looks like a bug in the way 'IE' and 'Mozilla' handle
> relative URLs.  If you're currently viewing this page:
> 
>   http://www.example.com/Search/Listing.html
> 
> then by my reading of RFC 1630, a relative URL such as this:
> 
>   <a href="?ClearRestrictions=1">New search</a>
> 
> should resolve to this absolute URL:
> 
>   http://www.example.com/Search/?ClearRestrictions=1
> 
> but in 'IE' and 'Mozilla' it comes out as the following, failing to
> disgard the bit following the final slash:
> 
>   http://www.example.com/Search/Listing.html?ClearRestrictions=1
> 
> (If my understanding of RFC 1630 is wrong and 'IE' and 'Mozilla' are
> right, then 'Lynx' get's it wrong cos it does it t'other one.  Either
> way round there seems to be a broken browser somewhere.)

Looks like you've found a spot where the standards haven't been
consistent.  I agree with your reading of RFC 1630.  However, RFC 1630
was superseded by RFC 1808 in June 1995, and 1808 clearly agrees with
IE and Mozilla.  RFC 1808, in turn, was "updated" by RFC 2396 August
1998, and RFC 2396 appears to say that "?ClearRestrictions=1" isn't a
valid relative URI--2396 has the BNF:

      relativeURI   = ( net_path | abs_path | rel_path ) [ "?" query ]
      rel_path      = rel_segment [ abs_path ]
      rel_segment   = 1*( unreserved | escaped |
                          ";" | "@" | "&" | "=" | "+" | "$" | "," )

'?' doesn't appear in rel_segment, and the stuff in relativeURI before
'?' looks like it can't be empty.  The examples in appendix C includes
a "?..." example, which says that given

      http://a/b/c/d;p?q

it should resolve as

      ?y            =  http://a/b/c/?y

However, according to Roy Fielding (the primary author), this is an
error.  http://www.ics.uci.edu/~fielding/url/test1.html says:

?y         =  http://a/b/c/d;p?y          [R,X,5]*Bug in RFC examples
              http://a/b/c/?y             [1,2,3,4]

so the 2396 example is incorrect, the answer is supposed to be
"http://a/b/c/d;p?y", and many browsers get it wrong.  I guess this
also means the BNF is wrong.

What a mess!

Conclusion?  IE and Mozilla are right, Lynx is wrong, as are many
other browsers--enough that "don't do that" is probably the only
safe answer.  I'd try to use "Listing.html?ClearRestrictions=1" or
"./?ClearRestrictions=1", depending on the desired behavior.

-- 
"The mere tendency of speech to encourage unlawful acts is not a
sufficient reason for banning it. [...]  The right to think is the
beginning of freedom, and speech must be protected from the government
because speech is the beginning of thought."  --Anthony Kennedy




More information about the rt-users mailing list