[I tried to reply to this this morning but it seems to have gotten lost
somewhere. I have had to reconstruct it from memory. Apologies for the
possible double post.]
On 2012-06-22 2:39 AM, Gervase Markham wrote:
On 20/06/12 17:34, Zack Weinberg wrote:
Ugh, you're right; I forgot about /etc/hosts and WINS names.
There might be something clever we can do to detect these, but I'm not
sure what it would be offhand; the operating system APIs I know about
are deliberately designed to hide the details of where the names come
from :-(
So our current thought is that we can't technically do anything about
this? But our options may change when we acquire our own DNS resolver?
Yeah, unless someone is cleverer than me. I wouldn't be at all
surprised if Windows at least did expose appropriate hooks, but they
might be very low-level.
And we'd have to find the source of suffixes on each OS so we could
reimplement this functionality.
Right. /etc/resolv.conf is pretty easy to parse, but I think both OSX
and Linux are moving away from it, and I don't know what you do for Windows.
I really don't think breaking people's existing DNS resolution
configuration, and making Firefox inconsistent with all other apps on
the machine, is a goer. Unless someone from the networking team wants to
assert we should look into it...
It certainly would break a lot -- but probably only for a minority of
users. And I think it might be worth it in the long run, for the sake
of removing this source of ambiguity in the meaning of an
apparently-absolute URL. Host identity is fundamental to the web's
security model, after all.
What figures would make the change acceptable? 1%? 0.1%? 0.0001%?
I'm not really in a position to assess that.
I suspect some users will never use this feature, and some will use it a
lot (probably without knowing that they are using it).
Agree -- probably not unusual in corporate deployments, but nearly
unheard of elsewhere.
zw
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
