Remove ability for PAC scripts to see the full http:// URL |
|
Issue descriptionToday when evaluating a PAC script (Proxy Auto Config), we use a split policy on whether to submit the full URL or a truncated URL to the script: (1) URLs from secure schemes (ex: "https://" or "wss://") are aggressively truncated to just the authority ( Issue 593759 ) (2) URLs from insecure schemes (say "http://" or "ftp://") are "sanitized" (embedded identity and fragments are stripped, however full path and query parameters are preserved). Given the move towards https:// everywhere, the legacy policy being applied to insecure URLs schemes is increasingly unimportant, and just confuses the implementation. We should be at a point where we can align insecure schemes to use the more restrictive policy (1) without causing widespread compatibility problems (once we have eliminated PacHttpsUrlStrippingEnabled - Issue 619087) This also simplifies optimizations around caching proxy resolutions on a per-host basis (if we relax other parts of the contract).
,
Sep 24
What is the relevance of comment #2 to this bug?
,
Nov 28
In terms of compatibility, there are definitely consumers of this functionality. For instance tests like [1] and [2]. And anecdotally I have seen it used in PAC scripts trying to act as content blockers. While it would be nice to align the polices, may not be worth pushing too hard on this. Can always scope the performance optimization of caching results to https://. [1] https://bugs.chromium.org/p/chromium/issues/detail?id=765245#c4 [2] https://github.com/SeleniumHQ/selenium/blob/master/java/client/test/org/openqa/selenium/ReferrerTest.java#L302 |
|
►
Sign in to add a comment |
|
Comment 1 by eroman@chromium.org
, Sep 10