Apache/httpd behaviour with IE4 urls.

Lloyd Wood (L.Wood@surrey.ac.uk)
Wed, 25 Feb 1998 15:52:13 +0000 (GMT)


We're looking at moving from the now-unsupported httpd to Apache for
our Solaris server. One of the differences we've noticed between httpd
and Apache is how Internet-Explorer-specific URLs (e.g. res: and mk:)
are handled.

When a non-IE browser issues a request for these non-recognised URLs,
httpd simply doesn't return any data. However, Apache returns a
'Forbidden/you don't have permission to access <URL> on this server',
indicating that Apache is actually trying to parse the
Microsoft-specific local-filesystem URL cocatenated with the directory
URL, finding nothing that matches, and deciding it's forbidden.

As something of a worst case, this is illustrated in my IE4 browser
exploit pages, where a meta-http reload of an IE4-specific URL may do
bad things to your browser:

For httpd 1.5.2a (until we upgrade to Apache):
http://www.ee.surrey.ac.uk/Personal/L.Wood/IE4res/
http://www.ee.surrey.ac.uk/Personal/L.Wood/IE4mk/

Our Apache 1.2.5 test server, where the pages perform rather worse
when viewed with any remaining non-IE browsers:
http://ithilien.ee.surrey.ac.uk/Personal/L.Wood/IE4res/
http://ithilien.ee.surrey.ac.uk/Personal/L.Wood/IE4mk/

Other than looking for an httpd home to redirect to that will serve
these pages for nostalgia reasons, this seems to raise a standards
issue - should webservers (and proxy caches, for that matter) know to
parse and deal with (in this case, ignore) requests for single-vendor
non-standard local URLs taking part of the namespace that no-one else
will then want to use?

Looks like Microsoft has res:, mk:, [a-z]: and presumably a number
of others sewn up.

L.

<L.Wood@surrey.ac.uk>PGP<http://www.sat-net.com/L.Wood/>