InformAction Forums

Posted: **Sat Aug 07, 2010 11:04 am**

http://localhost instead of just localhost, why?

Posted: **Tue Aug 17, 2010 12:04 am**

Ns 2.0.2.1

<html>
<head>
<script>
function evHandler(e)
{
   dump(e.type + '\n');
}
function writeFrame()
{
   var w = document.getElementById('child').contentWindow;
   w.document.open();
   w.addEventListener('load', evHandler, false);
   w.addEventListener('DOMContentLoaded', evHandler, false);
   w.document.write('doc.written');
   w.document.close();
}
</script>
</head>
<body>
<button onclick="writeFrame();">write frame</button>
<iframe id="child"></iframe>
</body>
</html>

load the above page on localhost
allow "http://localhost"
write frame
forbid localhost
after refresh, the NS menu contains ( "localhost" "http://localhost" "wyciwyg://localhost" )
expected behavior: at all times, in every state, the menu should show only a single entry "localhost" (and without the scheme)

Posted: **Thu Sep 16, 2010 8:32 am**

Code: Select all

<script src="http://localhost:81/"></script>

For the above page, the menu shows http://localhost twice and also http://localhost:81 (which it shouldn't when ignorePorts==true)

Posted: **Thu Sep 16, 2010 8:56 am**

These are all glitches due to CAPS implementation details: if a domain contains no dots, it needs the protocol to be specified in order to match.
Of course cosmetic changes can be done in order to make the UI less confusing and CAPS disappear in the background as much as possible, but here's the reason you're asking for.

Posted: **Thu Sep 16, 2010 9:12 am**

Giorgio Maone wrote:These are all glitches due to CAPS implementation details: if a domain contains no dots, it needs the protocol to be specified in order to match.
Of course cosmetic changes can be done in order to make the UI less confusing and CAPS disappear in the background as much as possible, but here's the reason you're asking for.

CAPS is an implementation detail as you mentioned, it does not dictate what you show in the menu, that's entirely up to you.

there are three specific separate glitches/bugs here, can you a) repro them all? b) put them on your todo?

Posted: **Thu Sep 16, 2010 9:26 am**

I consider the double http://localhost entry a bug in need to be fixed ASAP.
The other ones are in my TODO list, but low priority because they touch an area which already contain many hacks and moving parts to address the implementation mismatches I hinted you about earlier, and therefore are to be touched with extreme care.

Posted: **Fri Sep 17, 2010 8:58 am**

Forgot to tell: there's a very good reason why http://localhost is shown instead of localhost for "Allow" commands: the browser has currently no way to tell whether localhost (or any other 1 component domain name) is a public internet suffix (TLD) or an arbitrary internal domain name, because nsIEffectiveTLDService.getPublicSuffix() returns the string itself both for "localhost" and for "com".
At this point, why NoScript doesn't display an "Allow localhost" command is quite obvious, isn't it?

Posted: **Fri Sep 17, 2010 9:39 am**

The issues would could reasonably be worked-around have been in latest development build.

Posted: **Fri Sep 17, 2010 11:08 am**

Giorgio Maone wrote:Forgot to tell: there's a very good reason why http://localhost is shown instead of localhost for "Allow" commands: the browser has currently no way to tell whether localhost (or any other 1 component domain name) is a public internet suffix (TLD) or an arbitrary internal domain name, because nsIEffectiveTLDService.getPublicSuffix() returns the string itself both for "localhost" and for "com".
At this point, why NoScript doesn't display an "Allow localhost" command is quite obvious, isn't it?

These are implementation details, what you show in the menu is under your control, and need not impact what happens behind the scenes. If "full addresses" is not set, you should show "localhost" in the menu, how it appears in the whitelist is a different story.

Posted: **Fri Sep 17, 2010 11:51 am**

al_9x wrote:
Giorgio Maone wrote:Forgot to tell: there's a very good reason why http://localhost is shown instead of localhost for "Allow" commands: the browser has currently no way to tell whether localhost (or any other 1 component domain name) is a public internet suffix (TLD) or an arbitrary internal domain name, because nsIEffectiveTLDService.getPublicSuffix() returns the string itself both for "localhost" and for "com".
At this point, why NoScript doesn't display an "Allow localhost" command is quite obvious, isn't it?
These are implementation details, what you show in the menu is under your control, and need not impact what happens behind the scenes. If "full addresses" is not set, you should show "localhost" in the menu, how it appears in the whitelist is a different story.

If I show "localhost", I must show "com" or "org" as well.

Posted: **Fri Sep 17, 2010 11:52 am**

Giorgio Maone wrote:The issues would could reasonably be worked-around have been in latest development build.

http://localhost duplication is still there

Posted: **Fri Sep 17, 2010 12:02 pm**

Giorgio Maone wrote:If I show "localhost", I must show "com" or "org" as well.

Why must you? I don't understand the difficulty, this is just a question of presentation. I am not asking you to change any underlying behavior, just how single label domains are displayed in the menu.

Posted: **Fri Sep 17, 2010 12:46 pm**

al_9x wrote:
Giorgio Maone wrote:If I show "localhost", I must show "com" or "org" as well.
Why must you?

Because there's no way to tell "localhost" apart of "com", "org", "net" and so on.
Therefore if a page has something like

Code: Select all

<script src="http://com/fake.js"></script>
<script src="http://localhost/some-script.js"></script>

I must show either

Code: Select all

Allow http://com
Allow http://localhost

(current way) or

Code: Select all

Allow com
Allow localhost

(your suggested way), which is unacceptable IMHO for obvious reasons.

Posted: **Fri Sep 17, 2010 1:36 pm**

Giorgio Maone wrote:
al_9x wrote:
Giorgio Maone wrote:If I show "localhost", I must show "com" or "org" as well.
Why must you?
Because there's no way to tell "localhost" apart of "com", "org", "net" and so on.

ok got it you don't want to imply that you are allowing the whole tld for the edge case that the host name matches a tld, well the tld list is well defined http://data.iana.org/TLD/tlds-alpha-by-domain.txt you can make exceptions for them

Posted: **Fri Sep 17, 2010 6:37 pm**

And what if new TLDs get added?
IMHO, Giorgio should rather treat all TLDs as potentially valid, except the ones specifically mentioned in RFC 2606:

example
invalid
localhost
test

InformAction Forums

single label hosts (localhost) shown/whitelisted with scheme

single label hosts (localhost) shown/whitelisted with scheme

Re: single label hosts (localhost) shown/whitelisted with sc

Re: single label hosts (localhost) shown/whitelisted with sc

Re: single label hosts (localhost) shown/whitelisted with sc

Re: single label hosts (localhost) shown/whitelisted with sc

Re: single label hosts (localhost) shown/whitelisted with sc

Re: single label hosts (localhost) shown/whitelisted with sc

Re: single label hosts (localhost) shown/whitelisted with sc

Re: single label hosts (localhost) shown/whitelisted with sc

Re: single label hosts (localhost) shown/whitelisted with sc

Re: single label hosts (localhost) shown/whitelisted with sc

Re: single label hosts (localhost) shown/whitelisted with sc

Re: single label hosts (localhost) shown/whitelisted with sc

Re: single label hosts (localhost) shown/whitelisted with sc

Re: single label hosts (localhost) shown/whitelisted with sc