W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

Re: disallowing userinfo in http and https URIs

From: Adrien de Croy <adrien@qbik.com>
Date: Wed, 28 Jul 2010 14:05:58 +1200
Message-ID: <4C4F9086.4070107@qbik.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>

I'm all for removing it, but isn't that the only way that IE will auth 
to an FTP server via an HTTP proxy?  We see these URIs all the time.



On 28/07/2010 1:59 p.m., Roy T. Fielding wrote:
> FYI, I added the following paragraph for draft 11 as part of addressing
> ticket #159 in
>    http://trac.tools.ietf.org/wg/httpbis/trac/changeset/877
> p1, sec 2.6.1:  added paragraph:
>     The URI generic syntax for authority also includes a deprecated
>     userinfo subcomponent ([RFC3986], Section 3.2.1) for including
>     user authentication information in the URI. The userinfo
>     subcomponent (and its "@" delimiter) MUST NOT be used in an
>     "http" URI. URI reference recipients SHOULD parse for the
>     existence of userinfo and treat its presence as an error,
>     likely indicating that the deprecated subcomponent is being used
>     to obscure the authority for the sake of phishing attacks.
> I'm pretty sure that this topic was discussed before on list, though
> I can't find the thread at the moment.  Please let us know if you
> disagree with this change.
> ....Roy
Received on Wednesday, 28 July 2010 02:06:49 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:54 UTC