PDA

View Full Version : 5.5 does not preserve hostname casing


rorya
2006-07-27, 06:39 PM
This is one thing I liked about the < 5.5 OmniWeb (pre-WebKit). If you wanted to present a case preserved hostname in the location bar, you could do a redirect from the web server. On the web server's response, the Location: header could contain a mixed case hostname and OmniWeb would preserve that when doing the redirect on the location bar. IE/Mac was also one of the few newish browsers that preserved host casing.

So, now with 5.5, this does not work anymore. Actually this feature seems to be disappearing with modern browsers in general, and so I wondered why this is so? I'm guessing the reason why this feature may have disappeared with OW is due to changes made to support WebKit, as Safari never has been able to do this either. But I've never understood why this feature has been disappearing on new browsers. Does anyone know the reasons for this? As far as I know the HTTP RFCs don't forbid the use of case preservation, but maybe there's some other standard that does impose this requirement.

ericob
2006-08-02, 08:45 PM
I think that "not forbidding" would not be the same as "recognizing!"

I had always thought that domain names were case insensitive -- upper and lower case being treated as identical. If so, neither would be "forbidden." Instead, the difference would simply be ignored.

There would be no requirement for any part of the HTTP communication chain to preserve case in domain names.

Just musing. . .

Len Case
2006-08-02, 10:39 PM
There is however the security issue--if you allow and preserve mixed case, you allow a site like hotmaii to spoof hotmail by using a capital I (e.g. www.hotmaiI.com).

Bob Williams
2006-08-03, 12:08 AM
According to RFC 1035, "For all parts of the DNS that are part of the official protocol, all comparisons between character strings (e.g., labels, domain names, etc.) are done in a case-insensitive manner."; thus, preserving case in the browser does not present a security issue because "hotmail.com" and "hotmaiL.com" will end up resolving to exactly the same IP. And indeed:

PuddleJumper:~ bob$ host hotmail.com
hotmail.com has address 64.4.32.7
hotmail.com has address 64.4.33.7
PuddleJumper:~ bob$ host hotmaiL.com
hotmaiL.com has address 64.4.32.7
hotmaiL.com has address 64.4.33.7

The RFC goes on to state that, "When data enters the domain system, its original case should be preserved whenever possible." This suggest that, in fact, browsers should preserve case names in their location display.

<http://www.faqs.org/rfcs/rfc1035.html> - 2.3.3

In the end, this is a completely cosmetic issue. However, I do see the utility in it, since intercaps make many domain names easier to read.

Bob Williams
2006-08-03, 12:20 AM
I just noticed what you meant by security concern with the 'i'. Sorry, I misread.

That said, while it is a security issue, the threat only slightly increases an already very big threat--sort of like unbuckling your seat belt in a plane that's falling from 35k feet. Such spoofs are done all the time without requiring mixed case. While mixed-case presents more opportunities, it really comes down to the fact that you shouldn't go entering personal information into a site unless you trust how you got there. This is one of those cases where software simply can't protect users from their own carelessness.

rorya
2006-09-15, 01:02 AM
Yes, I agree Bob, that these "spoofs" are done every day in spam, even with this "lowercase the host" policy that most browsers seem to be using, in place.

It really has nothing to do with the DNS system, since the browser is never asking for a PTR RR. As I stated originally, it's for aesthetic reasons. It seems reasonable that the web browser should try to always preserve the casing received in the response Host header, e.g. http://www.MyLongDomainName.com being more readable than http://www.mylongdomainname.com.

-rory