W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2004

Re: Microsoft to Strike IE URL Passwords

From: <wizard@newsreports.org>
Date: Thu, 05 Feb 2004 18:16:53 -0500
Message-ID: <4022CEE5.82F4128F@newsreports.org>
To: ietf-http-wg-request@w3.org
Cc: HTTP Working Group <ietf-http-wg@w3.org>

RFC2396 describes a generic URI scheme,
including 3.2. Authority Component, without
specific application.

Going back to HTML 4.01(as an example), it
permits at 2.1.3, Relative URIs. But, RFC2616
makes no allowance for Relative URI's.

And that is exactly what I am getting at in
my earlier message.  The protocol has nothing
to do with what is on the HTML page and what
a browser does with an element on the page.

The thought that I had in the last few days

Is it not possible, when username@password is
encountered, to pop up the usual login dialog
box with the elements filled in? The dialog
box already shows the authentication domain.
This would require an explicit action on 
the part of the user and gives the user
notification that an authentication is 
being attempted and the host that the user
is going to.  

It is the *silent* bypassing of this dialog 
through the *interpretation* of username@password
that is causing it to be a difficulty in the 
case at hand. Popping up a dialog box is much
less draconian than ignoring username@password

Since Monday, I have received correspondence from
a very large e-commerce payment system who are
concerned with this very problem.  I can tell by
from the email address used to receive the correspondence
that the inquiries did not result from my posting
here on the list, but rather were related to 
searching for a solution.  This company
is the number one ranked company in their payment
method. They know that the proposed change
will break their systems at the customer level.

They are not happy campers. They are not Paypal,
but of similar magnitude.  It has already been
mentioned that Paypal payment links will break.


Julian Reschke wrote:
> wizard@newsreports.org wrote:
> > ...
> > If the argument is that 3.2.2 prescribes the
> > semantics of the href attribute of the HTML <A>
> > tag, then there is a lot of broken HMTL code
> > out there because it quite common to use
> > either root relative, or relative URL's in
> > href attributes.  The fact that common browsers
> > know what to do about this would be due to
> > their interpretative abilities.  By extension,
> > username:password@ is also an interpretive
> > ability.
>  > ...
> As a matter of fact, RFC2396 and the HTML spec describe what can go into
> an HTML href. The URL format used in HTTP messages is completely
> irrelevant here. And yes, of course relative URIs are allowed here.
>  > ...
> Julian
> --
> <green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760



iis bandwidth protection -- http://coldlink.com/

iis password protection -- http://wanderware.com/


Received on Thursday, 5 February 2004 18:13:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:37 UTC