服务器响应时,为什么FireFox和某些其他浏览器会更改地址栏中的URL [英] Why do FireFox and certain other browsers alter the URL in the address bar when the server responds
问题描述
由于以下问题,本季度我很难满足PCI-DSS的要求.
I'm having difficulty meeting PCI-DSS compliance this quarter because of the following problem.
当您在浏览器中键入以下内容时...
When you type the following into a browser...
http://www.mygarble.com/main/Community/Chat?command=CHAT_MESSAGE&displayname=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22
...它会做出响应,因此由于某种原因(我不确定),浏览器地址栏中的URL更改为以下内容:
...it responds and, as a consequence, for some reason that I cannot ascertain, the URL in the browswer address bar is changed to the following:
http://www.mygarble.com/main/Community/Chat?command=CHAT_MESSAGE&displayname="><script>alert(123)<%2Fscript>"
您会看到原始URL中的某些转义字符已由未转义的字符替换.
You can see that some of the escaped characters in the original URL have been replaced by unescaped ones.
我这样做的原因是,无论服务器如何响应,FireFox都会在服务器响应时自动重新格式化地址栏中的URL,以使其更具可读性.我告诉他们,我无能为力.但是,公平地说,他们反驳说,如果您尝试以下URL ...
The reason I gave for this is that FireFox automatically reformats the URL in the address bar when the server responds, no matter how it responds, in order to make it more readable. I told them there was nothing I could do about it. However, in fairness, they countered that if you try the following URL...
http://www.google.com/%22%%203E%3Cscript%3Ealert%28123%29%3C%2Fscript%3%20E%22
...当Google服务器响应时,浏览器不会更改URL,并且保持不变:
...when the Google servers respond, the browser does not change the URL and it remains the same:
http://www.google.com/%22%%203E%3Cscript%3Ealert%28123%29%3C%2Fscript%3%20E%22
他们有一点.
那么到底是怎么回事?我已经缩小了问题的范围,如果我只要求一个空的文本文件,而是在其后追加一些废话查询...
So what on earth is going on? I've narrowed down the problem and if I do no more than request an empty text file, but append some nonsense query after it...
http://localhost/http.mygarble.com/hello.txt?displayname=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22
... lo,当我的本地服务器响应时,它会被重写:
...lo and behold it gets rewritten when my local server responds:
我已经通过Fiddler运行了此程序,看不到任何异常,并且我关闭了重写引擎.我正在运行Apache.
I've run this through Fiddler and can see nothing untoward, and I've turned off the rewrite engine. I'm running Apache.
为了增加混乱,不同的浏览器做出不同的响应.打字...
To add to the confusion, different browsers respond differently. Typing...
http://localhost/http.mygarble.com/hello.txt?displayname=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22
...进入Chrome的收益:
...into Chrome yields:
在IE中,URL保持不变.在Opera中,除非您单击地址栏,否则查询字符串将被删除,这使我相信浏览器会在响应时自动更改地址栏中的URL,以使其更具可读性.像IE一样,Safari也只保留URL.
Into IE, the URL stays exactly the same. In Opera, the query string is dropped unless you click on the address bar, lending credence to my belief that browsers automatically change URLs in address bars on response in order to make them more readable. Safari, like IE, leaves the URL alone.
我现在要检查Google的响应以寻找线索.是否有一些HTTP指令来指示浏览器不要在响应时插入URL.
I'm going to check Google's response now for clues. Is there some HTTP directive that instructs the browser not to meddle with the URL on response.
非常感谢任何帮助!
亲切的问候,
詹姆斯
推荐答案
在我发现字符只显示为解码但没有真正改变之前,在Firefox的地址栏中,我进行了测试以了解发生了什么.
Before I found out that the characters were only displayed decoded but not really changed, in the address bar by Firefox, I set up a test to find out what happened.
这导致该演示:神奇的Firefox地址栏解码器" 演示了(并列出了)哪些字符在地址栏中显示为解码,什么是通过脚本从地址栏中读取的 .在不同的浏览器中运行页面会显示差异.
This lead to this demo: 'The magic Firefox address bar decoder' that demonstrates (and lists) which characters are displayed decoded in the address bar and what is read from the address bar by script. Running the page in different browsers shows the differences.
Firefox更改最多,Chrome仅更改了几个字符,IE和Safari没有任何更改.由Firefox解码的字符的选择似乎与由encodeUriComponent编码的字符的选择无关.希望这对任何人都有帮助.
Firefox changes the most, Chrome changes only a few characters, IE and Safari don't change anything. The choice of characters that are decoded by Firefox seems unrelated to the selection of characters that are encoded by encodeUriComponent. Hope this might help anyone.
这篇关于服务器响应时,为什么FireFox和某些其他浏览器会更改地址栏中的URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
