New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 299649 link

Starred by 2 users

Issue metadata

Status: WontFix
Closed: Sep 2013
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug

Sign in to add a comment

PAC function dnsDomainIs matches all hosts with specified suffix

Reported by, Sep 27 2013

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20100101 Firefox/23.0

Example URL:

Steps to reproduce the problem:
1. Set proxy settings to use PAC script:
function FindProxyForURL(url, host) {
  if (dnsDomainIs(host, "") {
    return "DIRECT";
  } else {
    return "HTTP";
2. Try to open any website with domain suffix '', but not subdomain of (eg '')

What is the expected behavior?
Request to should be sent using proxy.

What went wrong?
It seems that dnsDomainIs matches all host with specified domain suffix (not only subdomains). In this example request to will be sent directly.

Did this work before? N/A 

Chrome version: 29.0.1547.76  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version:

Comment 1 by, Sep 29 2013

Labels: -Cr-Internals-Network Cr-Internals-Network-Proxy
Status: WontFix
eroman: could you take a look?

The dnsDomainIs function is defined in net/proxy/proxy_resolver_script.h as follows:

55	  "function dnsDomainIs(host, domain) {\n" \
56	  "    return (host.length >= domain.length &&\n" \
57	  "            host.substring(host.length - domain.length) == domain);\n" \
58	  "}\n" \

This explains the reported behavior.

kermen.ip: based on my quick research, I am afraid that this is working as intended.
To get the desired behavior, you should pass "" instead of ""
to dnsDomainIs. See the examples in
dnsDomainIs(host, "") doesn't match "".

Ok, if this is intended. I just can't find at least one use case when this behaviour is appropriate.

Comment 3 by, Feb 21 2018

This is still an issue.
Effectively dnsDomainIs is a tail match for domains. Any preceding subdomains or characters are matched too. Issue in hand is typing to match only but not

Comment 4 by, Feb 21 2018

I agree that dnsDomainIs() is broken.
However I don't see a path forward to changing this behavior.

Browsers agree on this bad implementation, and changing it now would introduce compatibility problems that could do more harm than good.

If we were do do something about it, we would end up adding a new function with a different name that does something less stupid.

This would require modification of PAC scripts anyway, so callers may as well just implement their own one-liner and have it do the right thing today in all browsers if impacted by it.

Unfortunately the PAC library is unspecified and doesn't have a standards track for making changes to it. There are plenty of other problems with it. For instance broken handling of IPv6 addresses (which prompted Microsoft to introduce things like dnsResolveEx()).
Labels: Hotlist-Enterprise

Sign in to add a comment