New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
difference between protocol and scheme absolute/relative urls check logic, also node vs browser #8091
base: master
Are you sure you want to change the base?
Conversation
also, tested with using a string parsing solution like: https://github.com/unshiftio/url-parse it does recognize |
OR we can have |
public/src/utils.js
Outdated
return utils.parseUrl(url, true, true); | ||
}, | ||
|
||
parseUrl: function (url, parseQueryString, slashesDenoteHost) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Recommend returning a runtime-independent object from this function instead of using isBrowser multiple places.
For instance, returning an object with booleans isSchemeAbsolute, isProtocolAbsolute etc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
well, I would have to "parse" twice each time, since when you're testing for scheme-absolute you would have to set slashesDenoteHost=true
and would have to strip the leading slashes
isProtocolAbsoluteUrl: function (url) {
url = url.replace(/^\/{3,}/, '//');
var a = utils.parseUrl(url, true, **true);
We don't need to do that when testing for scheme-absolute, so in order to get both results each time, we need to require('url').parse()
twice
Which is doable I guess, but just letting you know.
Scheme-absolute seems to win the people's consensus
BUT the behavior is different from the server (node environment) and the browser, so remember, there are 2 factors with 2 possible values each, here's a table
For example:
//google.com
For example for
////google.com
In order to mitigate this in the results below, we replace all 3+ leading slashes with 2 slashes,
url.replace(/^\/{3,}/, '//');
Reason of different behavior node vs browser
Since there is no equivalent, on the browser, using
document.createElement('a')
, to theslashesDenoteHost
ofURL.parse(str, parseQueryString, slashesDenoteHost))
, on the browser,slashesDenoteHost
is as always set totrue
.Also, the browser treats 3+ leading i.e
////google.com
slashes as 2 leading slashes, and sets ahost
value on the result fromparseUrl()
, while node, usingURL.parse('////google.com', true, true)
does not set ahost
value to it, so we think it's a relative url, while butres.redirect
redirects it externally without an issue.Why are we using protocol-absolute?
Unlike the others.
Because for our purposes, we want to consider any redirect attempts to
//example.com
or attempts to set an img src, to be external. Maybe we should use a different function name? i.e.isUrlExternal()
instead?in Node
in Browser
https://jsfiddle.net/hm129g0r/15/