W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2010

Explicit instructions on use of fragment in request URI

From: Eran Hammer-Lahav <eran@hueniverse.com>
Date: Wed, 21 Apr 2010 23:19:58 -0700
To: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723438E5C7FAE9@P3PW5EX1MB01.EX1.SECURESERVER.NET>
This came up in the OAuth WG. One of the flows used to obtain a token relies on the fact that browsers don't sent the fragment over to the server and uses it to encoded credentials visible only to the browser (server provides them via a redirect Location header). I was asked what stops the browser from sending the fragment.

I spent some time trying to find where 2616 forbids including the fragment and the best I came up with is from 3986:

   the fragment identifier is separated
   from the rest of the URI prior to a dereference, and thus the
   identifying information within the fragment itself is dereferenced
   solely by the user agent, regardless of the URI scheme.

Mark pointed me to the definition of request-URI which is abs_path or absoluteURI from 2396, which in turn do not allow a fragment.

Would it be possible to make this easier?

Something like "the request URI MUST NOT include a fragment component"... :-)

Received on Thursday, 22 April 2010 06:20:42 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:53 UTC