StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POWhy do FireFox and certain other browsers alter the URL in the address bar when the server responds
primarykey
Id
6395856
data
AcceptedAnswerId
0
AnswerCount
3
ClosedDate
CommentCount
1
CommunityOwnedDate
CreationDate
2011-06-18T12:01:06.380
FavoriteCount
0
LastActivityDate
2013-03-26T23:39:22.430
LastEditDate
LastEditorUserId
0
OwnerUserId
797453
ParentId
0
PostTypeId
1
Score
3
ViewCount
1354
LastEditorDisplayName
text
Body
I'm having difficulty meeting PCI-DSS compliance this quarter because of the following problem. When you type the following into a browser... <pre><code>http://www.mygarble.com/main/Community/Chat?command=CHAT_MESSAGE&displayname=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22 </code></pre> ...it responds and, as a consequence, for some reason that I cannot ascertain, the URL in the browswer address bar is changed to the following: <pre><code>http://www.mygarble.com/main/Community/Chat?command=CHAT_MESSAGE&displayname="><script>alert(123)<%2Fscript>" </code></pre> You can see that some of the escaped characters in the original URL have been replaced by unescaped ones. The reason I gave for this is that FireFox automatically reformats the URL in the address bar when the server responds, no matter how it responds, in order to make it more readable. I told them there was nothing I could do about it. However, in fairness, they countered that if you try the following URL... <pre><code>http://www.google.com/%22%%203E%3Cscript%3Ealert%28123%29%3C%2Fscript%3%20E%22 </code></pre> ...when the Google servers respond, the browser does not change the URL and it remains the same: <pre><code>http://www.google.com/%22%%203E%3Cscript%3Ealert%28123%29%3C%2Fscript%3%20E%22 </code></pre> And they have a point. So what on earth is going on? I've narrowed down the problem and if I do no more than request an empty text file, but append some nonsense query after it... <pre><code>http://localhost/http.mygarble.com/hello.txt?displayname=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22 </code></pre> ...lo and behold it gets rewritten when my local server responds: <a href="http://localhost/http.mygarble.com/hello.txt?displayname=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22" rel="nofollow">http://localhost/http.mygarble.com/hello.txt?displayname=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22</a> I've run this through Fiddler and can see nothing untoward, and I've turned off the rewrite engine. I'm running Apache. To add to the confusion, different browsers respond differently. Typing... <pre><code>http://localhost/http.mygarble.com/hello.txt?displayname=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22 </code></pre> ...into Chrome yields: <a href="http://localhost/http.mygarble.com/hello.txt?displayname=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22" rel="nofollow">http://localhost/http.mygarble.com/hello.txt?displayname=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22</a> Into IE, the URL stays exactly the same. In Opera, the query string is dropped unless you click on the address bar, lending credence to my belief that browsers automatically change URLs in address bars on response in order to make them more readable. Safari, like IE, leaves the URL alone. I'm going to check Google's response now for clues. Is there some HTTP directive that instructs the browser not to meddle with the URL on response. Any help very gratefully appreciated! Kind regards, James
Tags
<http><firefox><pci-dss><pci-compliance>
Title
Why do FireFox and certain other browsers alter the URL in the address bar when the server responds
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USJames Smith
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
3. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POWhy do FireFox and certain other browsers alter the URL in the address bar when the server responds
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POWhy do FireFox and certain other browsers alter the URL in the address bar when the server responds
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 POWhy do FireFox and certain other browsers alter the URL in the address bar when the server responds
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COWhat has this got to do with pci-dss? I don't get it.
 singulars
 PostPostId
 POWhy do FireFox and certain other browsers alter the URL in the address bar when the server responds
 UserUserId
 USOded

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.