Skip to content

Fix #147: Require URLs to be absolute. #170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jyasskin merged 2 commits into from
Apr 6, 2018
Merged

Fix #147: Require URLs to be absolute. #170

jyasskin merged 2 commits into from
Apr 6, 2018

Conversation

@jyasskin
Copy link
Member

@jyasskin jyasskin commented Apr 5, 2018

I realized this should probably also go in before I publish the implementation draft.

Spec: Preview, Diff

Impl draft: Preview, Diff

@jyasskin
Fix WICG#147: Require URLs to be absolute.
b02ea43 
Effective request URIs probably already are, but RFC7230 doesn't say so
explicitly.
@jyasskin jyasskin requested review from nyaxt and twifkak April 5, 2018 19:30
@twifkak
Copy link
Collaborator

twifkak commented Apr 5, 2018

Looks good to me, assuming the allowance of all schemes (incl file:) is intentional (and it's safe to ignore fragments).

@jyasskin
Copy link
Member Author

jyasskin commented Apr 6, 2018

I suspect we're going to need to restrict the schemes some, but I'm not sure to what (https only? potentially-trustworthy only?), so I was going to leave that open for now.

@jyasskin jyasskin merged commit 53e0753 into WICG:master Apr 6, 2018
@jyasskin jyasskin deleted the absolute-urls branch April 6, 2018 17:34
@nyaxt
Copy link
Collaborator

nyaxt commented Apr 9, 2018

lgtm

@horo-t horo-t mentioned this pull request Apr 9, 2018
Closed
aarongable pushed a commit to chromium/chromium that referenced this pull request Apr 10, 2018
@horo-t
Check the validity of URLs of SignedHTTPExchange
da1e9ae 
CertUrl and validityUrl and request URL must be absolute.
WICG/webpackage#170

Currently the validity of certUrl and validityUrl is checked in ParseSignature().
But there is no validity check of the request url.
And also there is no has_ref() check of all of them.

So this CL adds these checks:
 - is_valid() and !has_ref() for request URL.
 - !has_ref() check for certUrl and validityUrl.

Bug: 829932
Change-Id: I4502cb7cbb381e631292c8fd7a1ca998614f21b3
Reviewed-on: https://chromium-review.googlesource.com/1002338
Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org>
Commit-Queue: Tsuyoshi Horo <horo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#549446}
twifkak added a commit to twifkak/amppackager that referenced this pull request Apr 14, 2018
@twifkak
Add no-transform and usqp.
42a91be 
Add Cache-Control: no-transform to the signed-exchange response, to
discourage intermediaries from modifying it.

Add usqp to the fetch request, to tell the AMP Cache to perform web
package transforms (in particular, additional headers).

Add a note that URL fragments are disallowed, per
WICG/webpackage#170.
@twifkak twifkak mentioned this pull request Apr 14, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@twifkak twifkak Awaiting requested review from twifkak

@nyaxt nyaxt Awaiting requested review from nyaxt

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jyasskin @twifkak @nyaxt