tls - Dave's Blog


Search

location.hash and location.search are bad and they should feel bad

May 22, 9:25
The DOM location interface exposes the HTML document's URI parsed into its properties. However, it is ancient and has problems that bug me but otherwise rarely show up in the real world. Complaining about mostly theoretical issues is why blogging exists, so here goes:
  • The location object's search, hash, and protocol properties are all misnomers that lead to confusion about the correct terms:
    • The 'search' property returns the URI's query property. The query property isn't limited to containing search terms.
    • The 'hash' property returns the URI's fragment property. This one is just named after its delimiter. It should be called the fragment.
    • The 'protocol' property returns the URI's scheme property. A URI's scheme isn't necessarily a protocol. The http URI scheme of course uses the HTTP protocol, but the https URI scheme is the HTTP protocol over SSL/TLS - there is no HTTPS protocol. Similarly for something like mailto - there is no mailto wire protocol.
  • The 'hash' and 'search' location properties both return null in the case that their corresponding URI property doesn't exist or if its the empty string. A URI with no query property and a URI with an empty string query property that are otherwise the same, are not equal URIs and are allowed by HTTP to return different content. Similarly for the fragment. Unless the specific URI scheme defines otherwise, an empty query or hash isn't the same as no query or hash.
But like complaining about the number of minutes in an hour none of this can ever change without huge compat issues on the web. Accordingly I can only give my thanks to Anne van Kesteren and the awesome work on the URL standard moving towards a more sane (but still working practically within the constraints of compat) location object and URI parsing in the browser.
PermalinkComments

Man-in-the-Middle Attack Against SSL 3.0/TLS 1.0

2011 Sep 23, 4:37PermalinkCommentstechnical

Thread Local Storage, part 1: Overview « Nynaeve

2011 Aug 6, 1:53Description of the inner workings of both of Window's TLS options, the Win32 APIs like TlsAlloc as well as __declspec(thread). I didn't know that the max number of TLS indices is now 1088.PermalinkCommentsblog programming development windows debug tls thread-local-storage

Chromium Blog: SSL FalseStart Performance Results

2011 May 22, 10:44Links to the IETF draft document of and describes the perf benefits of SSL False Start.PermalinkCommentssecurity google browser web webbrowser https performance ssl tls technical

hackademix.net » Strict Transport Security in NoScript

2009 Sep 24, 3:51A proposed new HTTP header 'X-Force-TLS' to indicate a site only wants to be over HTTPS.PermalinkCommentshttp header security https extension noscript web browser webbrowser
Older Entries Creative Commons License Some rights reserved.