Making a trust decision based on the name of something is rife with error because there are so many ways to name resources, and such comparisons are often subject to canonicalization errors (Howard and LeBlanc 2003). Making a trust decision based on elements of a URI is fraught with risk because there are so many ways to canonicalize URIs. That said, all Web browsers make security decisions based on URIs. The real underlying risk with canonicalization is when more than one piece of code interprets a name differently. This “impedance mismatch” can lead to one unit of code thinking a name is “good” while anther portion of code thinks the name is “bad.” To alleviate this problem, the Internet Explorer 7 team migrated IE itself to use only one canonicalizer and then made that code available for all to use. That code is named the consolidated URL parser or cURL (Microsoft 2006c).
Note | Although a few exceptions exist for compatibility purposes, cURL is generally aggressive at rejecting URIs that are invalid under the latest standard covering the subject (RFC 3986). |
To use cURL in your browser component, you should include <urlmon.h>, link with urlmon.lib, and make sure you have the following line in your code before you load urlmon.h:
#define_WIN32_IE_WIN32_IE_IE70
The following code shows a basic way to use the cURL interface to create a URI, and break it down into its requisite components.
int wmain(int argc, wchar_t* argv[]) { if (argc != 2) { wprintf(L "Please enter a URL"); return -1; } wchar_t *pwszUri = argv[1]; // Create an IUri object from the URI IUri *pIUri = NULL; HRESULT hr = CreateUri( pwszUri, Uri_CREATE_ALLOW_RELATIVE, 0, &pIUri); if (SUCCEEDED(hr)) { BSTR bstrSchemeName; if (SUCCEEDED(pIUri->GetSchemeName(&bstrSchemeName))) { wprintf(L "Scheme: %s\n",bstrSchemeName); SysFreeString(bstrSchemeName); } BSTR bstrHost = NULL; if (SUCCEEDED(pIUri->GetHost(&bstrHost))) { wprintf(L "Host : %s\n",bstrHost); SysFreeString(bstrHost); } DWORD dwPort=0; if (SUCCEEDED(pIUri->GetPort(&dwPort))) { wprintf(L "Port : %d\n ",dwPort); } } if (pIUri) pIUri->Release(); return 0; }
Note also there is a new COM interface named IInternetSecurityManagerEx2 that accepts IUriobjects; use it instead of IInternetSecurityManagerEx and IInternetSecurityManager.
Various URL parsing functions, such as the following are now considered deprecated in favor of cURL if you are using cURL:
InternetCrackUrl
ParseURL
UrlIsOpaque
UrlGetPart
UrlGetLocation
InternetCanonicalizeUrl
UrlCanonicalize
UrlUnescape
UrlEscape
InternetCreateUrl
CreateURLMoniker
The performance impact of cURL is generally no different from using other canonicalization functions, but fewer function calls and therefore fewer redundant escape operations can lead to performance benefits.
There are potential application compatibility side effects because Internet Explorer 7 uses cURL internally and has much stricter URL parsing; some nonvalid URL sequences that used to work may no longer work in script or browser add-ons.