Nope, that actually 404's. It may appear to work, because most browsers will apply some equivalent to the `__fdio_cleanpath()` function mentioned in the article, resolving the traversal locally.

You can verify this as follows:

    curl -I --path-as-is 'https://github.com/fuchsia-mirror/docs/blob/master/the-book/../../master/the-book/dotdot.md'

if most browsers apply it... doesn't that means it works? Maybe not in the resolved-by-the-server-returning-a-304 sense but in at least some sense.

Not as ironic as you'd think considering the article specifically talks about support for .. in userland tooling and uses CWD as an example.

well actually the article complains about stuff like

https://github.com/fuchsia-mirror/../internal-page/secret-re...

which quite more serious