Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

username/password/port should be removed when "file" is added as scheme #259

Closed
watilde opened this issue Feb 23, 2017 · 10 comments
Closed

username/password/port should be removed when "file" is added as scheme #259

watilde opened this issue Feb 23, 2017 · 10 comments

Comments

@watilde
Copy link

watilde commented Feb 23, 2017

According to this section in the spec, the file scheme can't have username/password/port. I think they also should be removed automatically when file: is added as the scheme. Currently, they are left in the href even they cannot be overwritten.

e.g.

var url = new URL('http://user:[email protected]:21/aaa/zzz?l=24#test');
url.protocol = 'file:';
// url.href:
// + expected: file://foo.bar.com/aaa/zzz?l=24#test
// + actual: "file://user:pass%40foo.bar.com:21/aaa/zzz?l=24#test"
@annevk
Copy link
Member

annevk commented Feb 24, 2017

We should probably not allow setting to file under those conditions. That's what we do for similar situations elsewhere (e.g., setting host to the empty string when port is non-empty).

@watilde
Copy link
Author

watilde commented Feb 25, 2017

The basis why this behavior should avoid is that it allows having an invalid URL in the href:

var url = new URL('http://user:[email protected]:21/aaa/zzz?l=24#test');
url.protocol = 'file:';

var url2 = new URL(url.href);
// => Uncaught TypeError: Failed to construct 'URL': Invalid URL
//      at <anonymous>:1:1
//  (anonymous) @ VM326:1

As another workaround, it can escape the invalid character strings, but it's more predictable and natural to delete automatically imho because the properties such as username/password/port are independent of each other.

@annevk
Copy link
Member

annevk commented Feb 25, 2017

I still think making the setter fail (return early) is the most consistent.

@watilde
Copy link
Author

watilde commented Feb 25, 2017
edited
Loading

I just noticed that URL allows adding an invalid URL into href:

var url = new URL('http://example.com');
url.href = 'file://user:pass%40foo.bar.com:21/aaa/zzz?l=24#test';

Then this issue is not an exception anymore. Fair enough :)

Thanks, I'm going to close this as resolved.

@watilde watilde closed this as completed Feb 25, 2017
@annevk annevk reopened this Feb 25, 2017
@annevk
Copy link
Member

annevk commented Feb 25, 2017

I don't think that's true per the URL Standard?

@annevk
Copy link
Member

annevk commented Feb 25, 2017

In particular, x = new URL("https://test/"); x.href = "https://test:test/" is supposed to throw.

@watilde
Copy link
Author

watilde commented Feb 25, 2017

The essential point of this issue report is that whether the latter part of the below is correct or not: Errors should be thrown when an invalid URL string is passed to the constructor, and also errors should be thrown too when an invalid property is set to the instance of the URL.

If x = new URL("https://test/"); x.href = "https://test:test/" is supposed to throw, then we could consider about the case to change its protocol that makes href invalid imo.

@annevk
Copy link
Member

annevk commented Feb 27, 2017

I'm not sure I follow what you're saying. Setting href throws for invalid input, but other properties typically do nothing (no-ops). That's not super consistent, but that was already how those properties behaved elsewhere in the platform and given all the minor inconsistencies across browsers not throwing ends up breaking less code as well.

annevk added a commit that referenced this issue Mar 10, 2017
@annevk
Restrict setting protocol to "file"
3c41b2d 
As file URLs cannot have username/password/port we don’t want to allow
changing the scheme of a URL that contains one or more of those
components.

Fixes #259.
@annevk annevk mentioned this issue Mar 10, 2017
Merged
@annevk
Copy link
Member

annevk commented Mar 10, 2017

I posted a PR, would appreciate a review @watilde. I'll also write some tests.

@watilde
Copy link
Author

watilde commented Mar 10, 2017

Wow that's great. I will check it now 😃

annevk added a commit to web-platform-tests/wpt that referenced this issue Mar 10, 2017
@annevk
URL: protocol setter needs to be more restrictive for "file"
bb8d885 
See whatwg/url#259.
@annevk annevk mentioned this issue Mar 10, 2017
Merged
@watilde watilde mentioned this issue Mar 10, 2017
Closed
@rmisev rmisev mentioned this issue Mar 10, 2017
Closed
annevk added a commit to web-platform-tests/wpt that referenced this issue Mar 15, 2017
@annevk
URL: protocol needs to be more restrictive around "file"
e48dd15 
See whatwg/url#259 and whatwg/url#270.
annevk added a commit that referenced this issue Mar 15, 2017
@annevk
Restrict protocol around "file"
462fdc1 
As file URLs cannot have username/password/port we don’t want to allow changing the scheme of a URL that contains one or more of those components.

Similarly a file URL can have an empty/null host, changing the scheme to another special URL that cannot have such a host would be bad.

Fixes #259 and fixes #270.
watilde added a commit to watilde/ruby that referenced this issue Mar 8, 2018
@watilde
uri: restrict setting protocol to file scheme
e916d00 
As file URLs cannot have username/password/port,
we should not keep them when scheme is changed to file.

Refs: whatwg/url#259
@watilde watilde mentioned this issue Mar 8, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@annevk @watilde