New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Jun 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Regression

Blocked on:
issue 593759



Sign in to add a comment
link

Issue 619097: proxy PAC script gets a truncated URL for HTTPS origins

Reported by ppergame@chromium.org, Jun 10 2016 Project Member

Issue description

Version: 53.0.2763.0
OS: Linux

What steps will reproduce the problem?

(1) Add an alert to the proxy PAC file:
function FindProxyForURL(url, host) {
  alert('url: \'' + url + '\', host: \'' + host + '\'');
  return 'DIRECT';
}

(2) Go to an HTTPS page, for example https://s.ytimg.com/yts/jsbin/player-en_US-vflzxAejD/base.js

(3) Observe missing data
t=988 [st=0]  PAC_JAVASCRIPT_ALERT
              --> message = "url: 'https://s.ytimg.com/', host: 's.ytimg.com'"

What is the expected output?

For a non-HTTPS page http://s.ytimg.com/yts/jsbin/player-en_US-vflzxAejD/base.js, I see:

t=27788 [st=0]  PAC_JAVASCRIPT_ALERT
                --> message = "url: 'http://s.ytimg.com/yts/jsbin/player-en_US-vflzxAejD/base.js', host: 's.ytimg.com'"


I tried flipping the out-of-process PAC flag, but nothing changed.
 

Comment 1 by ppergame@chromium.org, Jun 10 2016

Components: Internals Internals>Network>Proxy

Comment 2 by ppergame@chromium.org, Jun 10 2016

Cc: amistry@chromium.org

Comment 3 by cbentzel@chromium.org, Jun 10 2016

Cc: -amistry@chromium.org eroman@chromium.org

Comment 4 by eroman@chromium.org, Jun 10 2016

Blockedon: 593759
Labels: M-52
Status: WontFix (was: Untriaged)
Unfortunately this is an intentional behavior that is new to M52. It is a consequence of the bugfix for  issue 593759 .

Stripping of https:// URLs can (temporarily) be switched off using either
  The policy PacHttpsUrlStrippingEnabled (set it to False)
or
  The command line flag --unsafe-pac-url


I say "temporarily" because at this time we don't plan to allow overriding the stripping of https:// URLs in the long-term (issue 619087).

Comment 5 by masha...@phulas.com, Dec 26 2016

I understand changing the default but is it possible to have the --unsafe-pac-url switch/flag kept in place permanently? The power that URL inspection gives for Proxy Auto-Configuration can't be replicated and exposing url paths does not pose a risk if the developer does not expose sensitive information in the path of the URL?

Comment 6 by eroman@chromium.org, Dec 27 2016

No, we do not want to support this permanently.

As a general feature for PAC is it is not safe, nor something that can be reliably assumed across browsers/platforms.

If there are use cases not being addressed by the sanitized PAC, it will probably need Chrome specific solutions with extensions.

Comment 7 by serg...@gmail.com, Jun 2 2018

> If there are use cases not being addressed by the sanitized PAC, it will probably need Chrome specific solutions with extensions.

So, how can extensions work around this problem? It is important precisely for a Chrome extension (proxy switcher): https://github.com/FelisCatus/SwitchyOmega/wiki/Chromium-Full-URL-Limitation

Comment 8 by eroman@chromium.org, Jun 5 2018

There is no workaround for extensions.

You can file a feature request for an extension API that lets you set the resolved proxy. (What we have right now just lets you set the proxy settings).

Sign in to add a comment