W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2010

Re: Explicit instructions on use of fragment in request URI

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 22 Apr 2010 08:38:11 +0200
Message-ID: <4BCFEED3.2010008@gmx.de>
To: Eran Hammer-Lahav <eran@hueniverse.com>
CC: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
On 22.04.2010 08:19, Eran Hammer-Lahav wrote:
> This came up in the OAuth WG. One of the flows used to obtain a token relies on the fact that browsers don't sent the fragment over to the server and uses it to encoded credentials visible only to the browser (server provides them via a redirect Location header). I was asked what stops the browser from sending the fragment.
>
> I spent some time trying to find where 2616 forbids including the fragment and the best I came up with is from 3986:
>
>     the fragment identifier is separated
>     from the rest of the URI prior to a dereference, and thus the
>     identifying information within the fragment itself is dereferenced
>     solely by the user agent, regardless of the URI scheme.
>
> Mark pointed me to the definition of request-URI which is abs_path or absoluteURI from 2396, which in turn do not allow a fragment.
>
> Would it be possible to make this easier?
>
> Something like "the request URI MUST NOT include a fragment component"... :-)

Not convinced.

a) Has this been a problem somewhere?

b) Making a BCP14 requirement on something the syntax doesn't allow in 
the first place doesn't feel right to me. If the request contains a 
fragment component, it's invalid. Period.

Best regards, Julian
Received on Thursday, 22 April 2010 06:45:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:18 GMT