W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2004

Re: Microsoft to Strike IE URL Passwords

From: David Morris <dwm@xpasc.com>
Date: Thu, 5 Feb 2004 15:56:27 -0800 (PST)
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <Pine.LNX.4.33.0402051542270.25537-100000@egate.xpasc.com>



On Thu, 5 Feb 2004 wizard@newsreports.org wrote:

>
> It is the *silent* bypassing of this dialog
> through the *interpretation* of username@password
> that is causing it to be a difficulty in the
> case at hand. Popping up a dialog box is much
> less draconian than ignoring username@password
> altogether.
>

Actually, the MS fix isn't for the silent bypass per se, it
is for the fact that MSIE hides the content of the URL after the %01
character.

In my mind, that makes it an invalid URL which should be rejected. Your
suggestion for popping a dialog seems like a good optional security
enhancement. Add a checkbox to not show the dialog again for the same
server....

Dave Morris
Received on Thursday, 5 February 2004 19:01:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:27 GMT