PAC FindProxyForURL(url, host), wrong url in HTTP/2
Reported by
zheng....@gmail.com,
Nov 23
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 Example URL: Steps to reproduce the problem: 1. visit a HTTP2 site 2. it be will load resources after html loaded 3. in FindProxyForURL, all "url" arguments will be same as the url in address bar, not the resource url it confirmed in "chrome://net-internals/#events" when visit my site "https://blog.soulogic.com/", and the page request lots of url, one of them is "https://blog.soulogic.com/api/list", but in FindProxyForURL() function, I receive "https://blog.soulogic.com/" in my PAC file: function FindProxyForURL(url, host) { alert('url=' + url); you can see the right side in attachment picture, it report HTTP_STREAM_JOB_CONTROLLER [dt=0] --> is_preconnect = false --> url = "https://blog.soulogic.com/api/list" PAC_JAVASCRIPT_ALERT --> message = "url=https://blog.soulogic.com/" What is the expected behavior? What went wrong? I think the new concepts(frame/stream) in HTTP/2 is different from old HTTP, PAC receive wrong request url in function FindProxyForURL Did this work before? N/A Chrome version: 70.0.3538.110 Channel: stable OS Version: Ubuntu 18.04 LTS Flash Version:
,
Nov 26
For security reasons, we don't pass HTTPS paths to PAC scripts. There is an enterprise policy to give PAC scripts full HTTPS URLs (PacHttpsUrlStrippingEnabled), but I'm not sure how it will be around.
,
Nov 26
Issue 619087 is for removing that policy.
,
Nov 26
As noted, the policy PacHttpsUrlStrippingEnabled should not be disabled. It opens security holes (https://www.blackhat.com/docs/us-16/materials/us-16-Kotler-Crippling-HTTPS-With-Unholy-PAC.pdf), and will be removed in a couple releases (probably around M74). What is your use-case for deciding the proxy based on the full URL? |
|||
►
Sign in to add a comment |
|||
Comment 1 by viswa.karala@chromium.org
, Nov 25