W3C home > Mailing lists > Public > ietf-discuss@w3.org > November 2001

Re: URI resolution & safety

From: Mark Baker <distobj@acm.org>
Date: Sun, 25 Nov 2001 21:16:44 -0500 (EST)
Message-Id: <200111260216.VAA30953@markbaker.ca>
To: moore@cs.utk.edu (Keith Moore)
Cc: dcrocker@brandenburg.com (Dave Crocker), dee3@torque.pothole.com (Donald E. Eastlake 3rd), discuss@apps.ietf.org
> > The resolution of some URI aren't safe.  I saw an "aim:" URI scheme
> > recently that allowed resolution of a URI to send an AIM message.  That
> > is a Bad Thing.
> 
> I don't think it's inherently bad, any more than
> mailto:discuss-request@apps.ietf.org?Subject=subscribe
> is bad.  What's bad is for client implementors to make it possible 
> for "clicking" on such a URI (or having it appear in a script or
> image tag on a web page) to result in a message being sent 
> without explicit user verification.   

Absolutely, but that's exactly what I mean by safe; no side effects upon
resolution.  mailto: is safe because 1) RFC 2368 defines semantics that
doesn't send the email, and 2) no implementation that I know about
automatically sends the email either.

MB
-- 
Mark Baker, Chief Science Officer, Planetfred, Inc.
Ottawa, Ontario, CANADA.      mbaker@planetfred.com
http://www.markbaker.ca   http://www.planetfred.com
Received on Sunday, 25 November 2001 21:19:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 23 March 2006 20:11:29 GMT