single label hosts (localhost) shown/whitelisted with scheme

[al_9x]

http://localhost instead of just localhost, why?

[al_9x]

Ns 2.0.2.1

Code: Select all

<html>
<head>
<script>
function evHandler(e)
{
   dump(e.type + '\n');
}
function writeFrame()
{
   var w = document.getElementById('child').contentWindow;
   w.document.open();
   w.addEventListener('load', evHandler, false);
   w.addEventListener('DOMContentLoaded', evHandler, false);
   w.document.write('doc.written');
   w.document.close();
}
</script>
</head>
<body>
<button onclick="writeFrame();">write frame</button>
<iframe id="child"></iframe>
</body>
</html>

1. load the above page on localhost
2. allow "http://localhost"
3. write frame
4. forbid localhost
5. after refresh, the NS menu contains ( "localhost" "http://localhost" "wyciwyg://localhost" )
6. expected behavior: at all times, in every state, the menu should show only a single entry "localhost" (and without the scheme)

[al_9x]

Code: Select all

<script src="http://localhost:81/"></script>

For the above page, the menu shows http://localhost twice and also http://localhost:81 (which it shouldn't when ignorePorts==true)

[Giorgio Maone]

These are all glitches due to CAPS implementation details: if a domain contains no dots, it needs the protocol to be specified in order to match.
Of course cosmetic changes can be done in order to make the UI less confusing and CAPS disappear in the background as much as possible, but here's the reason you're asking for.

[al_9x]

These are all glitches due to CAPS implementation details: if a domain contains no dots, it needs the protocol to be specified in order to match.
Of course cosmetic changes can be done in order to make the UI less confusing and CAPS disappear in the background as much as possible, but here's the reason you're asking for.

CAPS is an implementation detail as you mentioned, it does not dictate what you show in the menu, that's entirely up to you.

there are three specific separate glitches/bugs here, can you a) repro them all? b) put them on your todo?

[Giorgio Maone]

I consider the double http://localhost entry a bug in need to be fixed ASAP.
The other ones are in my TODO list, but low priority because they touch an area which already contain many hacks and moving parts to address the implementation mismatches I hinted you about earlier, and therefore are to be touched with extreme care.

[Giorgio Maone]

Forgot to tell: there's a very good reason why http://localhost is shown instead of localhost for "Allow" commands: the browser has currently no way to tell whether localhost (or any other 1 component domain name) is a public internet suffix (TLD) or an arbitrary internal domain name, because nsIEffectiveTLDService.getPublicSuffix() returns the string itself both for "localhost" and for "com".
At this point, why NoScript doesn't display an "Allow localhost" command is quite obvious, isn't it?

[Giorgio Maone]

The issues would could reasonably be worked-around have been in latest development build.

[al_9x]

Forgot to tell: there's a very good reason why http://localhost is shown instead of localhost for "Allow" commands: the browser has currently no way to tell whether localhost (or any other 1 component domain name) is a public internet suffix (TLD) or an arbitrary internal domain name, because nsIEffectiveTLDService.getPublicSuffix() returns the string itself both for "localhost" and for "com".
At this point, why NoScript doesn't display an "Allow localhost" command is quite obvious, isn't it?

These are implementation details, what you show in the menu is under your control, and need not impact what happens behind the scenes. If "full addresses" is not set, you should show "localhost" in the menu, how it appears in the whitelist is a different story.

[Giorgio Maone]

Forgot to tell: there's a very good reason why http://localhost is shown instead of localhost for "Allow" commands: the browser has currently no way to tell whether localhost (or any other 1 component domain name) is a public internet suffix (TLD) or an arbitrary internal domain name, because nsIEffectiveTLDService.getPublicSuffix() returns the string itself both for "localhost" and for "com".
At this point, why NoScript doesn't display an "Allow localhost" command is quite obvious, isn't it?

These are implementation details, what you show in the menu is under your control, and need not impact what happens behind the scenes. If "full addresses" is not set, you should show "localhost" in the menu, how it appears in the whitelist is a different story.

If I show "localhost", I must show "com" or "org" as well.

[al_9x]

The issues would could reasonably be worked-around have been in latest development build.

http://localhost duplication is still there

[al_9x]

If I show "localhost", I must show "com" or "org" as well.

Why must you? I don't understand the difficulty, this is just a question of presentation. I am not asking you to change any underlying behavior, just how single label domains are displayed in the menu.

[Giorgio Maone]

If I show "localhost", I must show "com" or "org" as well.

Why must you?

Because there's no way to tell "localhost" apart of "com", "org", "net" and so on.
Therefore if a page has something like

Code: Select all

<script src="http://com/fake.js"></script>
<script src="http://localhost/some-script.js"></script>

I must show either

Code: Select all

Allow http://com
Allow http://localhost

(current way) or

Code: Select all

Allow com
Allow localhost

(your suggested way), which is unacceptable IMHO for obvious reasons.

[al_9x]

If I show "localhost", I must show "com" or "org" as well.

Why must you?

Because there's no way to tell "localhost" apart of "com", "org", "net" and so on.

ok got it you don't want to imply that you are allowing the whole tld for the edge case that the host name matches a tld, well the tld list is well defined http://data.iana.org/TLD/tlds-alpha-by-domain.txt you can make exceptions for them

[dhouwn]

And what if new TLDs get added?
IMHO, Giorgio should rather treat all TLDs as potentially valid, except the ones specifically mentioned in RFC 2606:

• example
• invalid
• localhost
• test