Specify validation of share_target at manifest load time.

[mgiuca]

Closes #25

---

Preview | Diff

[mgiuca]

It isn't quite correct to substitute the empty dictionary to find out whether a URL template will expand to within scope.

Consider a manifest:

{
    "scope": "/foo",
    "share_target": {
        "url_template": "/fo{text}o"
    }
}

The manifest will parse correctly, because expanding url_template with text = "" is "/foo". But if given any non-empty text, it will expand to be out of scope.

There are a few solutions to this:

1. Fix the scope checking algorithm (this) to somehow make sure it fails if any substitution would move it outside the scope.
2. Prevent template parameters from appearing in the path part (i.e., before the query) entirely.

[mgiuca]

This isn't strictly true, due to the above problem.

[pkotwicz]

I think this scenario might be problematic:

{
    "scope": "/foo",
    "share_target": {
        "url_template": "/foo/{text}/"
    }
}

If we do validation at parse time, it seems like |url_template| would fall under the scope. However, if a user wants to share ".." the URL will fall out of scope

[mgiuca]

That's a good point. (Note that other problematic characters such as '/' and '?' are not an issue because we encode the placeholders with the userinfo percent encode set, but '.' and '..' are a problem.)

I was going to suggest that we add U+002E to the encode set, but it turns out that won't help -- "%2e" is considered equivalent to ".". So I'm not sure exactly how we can prevent this: either prevent all placeholders from appearing before the '?' (would be the big hammer approach), or otherwise somehow ban these path segments.

[mgiuca]

I've closed this and moved the work to a new branch: https://github.com/mgiuca/web-share-target/tree/parse-at-parse-time which will actually parse the URL template as a URL instead of just validating it at load time.