New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 299649 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner:
Closed: Sep 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

PAC function dnsDomainIs matches all hosts with specified suffix

Reported by kermen...@gmail.com, Sep 27 2013

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20100101 Firefox/23.0

Example URL:

Steps to reproduce the problem:
1. Set proxy settings to use PAC script:
function FindProxyForURL(url, host) {
  if (dnsDomainIs(host, "google.com") {
    return "DIRECT";
  } else {
    return "HTTP proxy.example.com:3128";
  }
}
2. Try to open any website with domain suffix 'google.com', but not subdomain of google.com (eg 'agoogle.com')

What is the expected behavior?
Request to agoogle.com should be sent using proxy.

What went wrong?
It seems that dnsDomainIs matches all host with specified domain suffix (not only subdomains). In this example request to agoogle.com will be sent directly.

Did this work before? N/A 

Chrome version: 29.0.1547.76  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version:
 

Comment 1 by wtc@chromium.org, Sep 29 2013

Cc: wtc@chromium.org
Labels: -Cr-Internals-Network Cr-Internals-Network-Proxy
Owner: eroman@chromium.org
Status: WontFix
eroman: could you take a look?

The dnsDomainIs function is defined in net/proxy/proxy_resolver_script.h as follows:

55	  "function dnsDomainIs(host, domain) {\n" \
56	  "    return (host.length >= domain.length &&\n" \
57	  "            host.substring(host.length - domain.length) == domain);\n" \
58	  "}\n" \

This explains the reported behavior.

kermen.ip: based on my quick research, I am afraid that this is working as intended.
To get the desired behavior, you should pass ".google.com" instead of "google.com"
to dnsDomainIs. See the examples in
http://docs.oracle.com/cd/E19316-01/820-5723/6nh3nq81t/index.html
http://technet.microsoft.com/en-us/library/dd361950.aspx
dnsDomainIs(host, ".google.com") doesn't match "google.com".

Ok, if this is intended. I just can't find at least one use case when this behaviour is appropriate.

Comment 3 by dje...@gmail.com, Feb 21 2018

This is still an issue.
Effectively dnsDomainIs is a tail match for domains. Any preceding subdomains or characters are matched too. Issue in hand is typing to match only login.microsoftonline.com but not device.login.microsoftonline.com.

Comment 4 by eroman@chromium.org, Feb 21 2018

I agree that dnsDomainIs() is broken.
However I don't see a path forward to changing this behavior.

Browsers agree on this bad implementation, and changing it now would introduce compatibility problems that could do more harm than good.

If we were do do something about it, we would end up adding a new function with a different name that does something less stupid.

This would require modification of PAC scripts anyway, so callers may as well just implement their own one-liner and have it do the right thing today in all browsers if impacted by it.

Unfortunately the PAC library is unspecified and doesn't have a standards track for making changes to it. There are plenty of other problems with it. For instance broken handling of IPv6 addresses (which prompted Microsoft to introduce things like dnsResolveEx()).
Labels: Hotlist-Enterprise

Sign in to add a comment