W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

disallowing userinfo in http and https URIs

From: Roy T. Fielding <fielding@gbiv.com>
Date: Tue, 27 Jul 2010 18:59:11 -0700
Message-Id: <10027AF0-B1AF-41FF-BCD5-AA479697C1AD@gbiv.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
FYI, I added the following paragraph for draft 11 as part of addressing
ticket #159 in

  http://trac.tools.ietf.org/wg/httpbis/trac/changeset/877

p1, sec 2.6.1:  added paragraph:

   The URI generic syntax for authority also includes a deprecated
   userinfo subcomponent ([RFC3986], Section 3.2.1) for including
   user authentication information in the URI. The userinfo
   subcomponent (and its "@" delimiter) MUST NOT be used in an
   "http" URI. URI reference recipients SHOULD parse for the
   existence of userinfo and treat its presence as an error,
   likely indicating that the deprecated subcomponent is being used
   to obscure the authority for the sake of phishing attacks.

I'm pretty sure that this topic was discussed before on list, though
I can't find the thread at the moment.  Please let us know if you
disagree with this change.

....Roy
Received on Wednesday, 28 July 2010 01:59:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:23 GMT