W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2010

RE: Explicit instructions on use of fragment in request URI

From: Eran Hammer-Lahav <eran@hueniverse.com>
Date: Thu, 22 Apr 2010 00:26:13 -0700
To: Julian Reschke <julian.reschke@gmx.de>
CC: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723438E5C7FAF1@P3PW5EX1MB01.EX1.SECURESERVER.NET>
It's not intuitive for the occasional real to figure out that absolute-URI doesn't include fragment. Now that it was pointed out to me, it seems pretty straight forward. I think it will help developer avoid this mistake (of sending a fragment), but then again, I'm not sure how many of them will read the spec that closely. I am going to make it clear in the OAuth spec because sending the fragment is a security risk.

EHL

> -----Original Message-----
> From: Julian Reschke [mailto:julian.reschke@gmx.de]
> Sent: Wednesday, April 21, 2010 11:58 PM
> To: Eran Hammer-Lahav
> Cc: HTTP Working Group (ietf-http-wg@w3.org)
> Subject: Re: Explicit instructions on use of fragment in request URI
> 
> On 22.04.2010 08:49, Eran Hammer-Lahav wrote:
> > I'm not looking for a MUST NOT. But it would be nice for the spec to say
> "btw, you can't use fragments here".
> >
> > I always knew fragments are not allowed, but when asked, I couldn't show
> where that's defined. And because HTTP doesn't make it easy, OAuth has to
> make developers aware of that.
> > ...
> 
> Still trying to understand the issue.
> 
> The ABNF doesn't allow the fragment here; is that really so hard to spot?
> 
> Best regards, Julian
Received on Thursday, 22 April 2010 07:33:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:18 GMT