[webkit-dev] Changing the implementation of KURL

Maciej Stachowiak mjs at apple.com
Sun Jan 29 16:52:46 PST 2012

On Jan 28, 2012, at 8:01 PM, Darin Fisher wrote:

> Right.  In Firefox, the problem was that the cookie code used some hand-rolled
> string parsing code instead of reusing the URL parsing code.  That resulted in
> a subtle bug that could be exploited to steal cookies.  In Safari's case, I believe
> it was caused by differences between CFNetwork and KURL.
> If CFNetwork exposed an API to its URL parser, then it would be super wise for
> any port of WebKit using CFNetwork to reuse the same URL parser.

CFNetwork's URL parser is exposed as public API, in the form of CFURL. However, CFURL is designed for historical RFC compliance rather than for Web compatibility. It's not really a practical option at this time. Perhaps in due course, CFURL could be changed to use WTFURL under the covers, or offer a mode to do so. But planning that sort of thing would be outside the scope of this mailing list.


More information about the webkit-dev mailing list