W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

Re: disallowing userinfo in http and https URIs

From: Mark Baker <mark@zepheira.com>
Date: Wed, 28 Jul 2010 00:02:46 -0400
Message-ID: <AANLkTi=wsr_EhV411bmBfCLNqcoM5tAtjFSmj-9AsVzT@mail.gmail.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Hi Roy,

On Tue, Jul 27, 2010 at 9:59 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
> FYI, I added the following paragraph for draft 11 as part of addressing
> ticket #159 in
>
>  http://trac.tools.ietf.org/wg/httpbis/trac/changeset/877
>
> p1, sec 2.6.1:  added paragraph:
>
>   The URI generic syntax for authority also includes a deprecated
>   userinfo subcomponent ([RFC3986], Section 3.2.1) for including
>   user authentication information in the URI. The userinfo
>   subcomponent (and its "@" delimiter) MUST NOT be used in an
>   "http" URI. URI reference recipients SHOULD parse for the
>   existence of userinfo and treat its presence as an error,
>   likely indicating that the deprecated subcomponent is being used
>   to obscure the authority for the sake of phishing attacks.
>
> I'm pretty sure that this topic was discussed before on list, though
> I can't find the thread at the moment.  Please let us know if you
> disagree with this change.

FWIW, we use this construct in the Akara HTTP server project, but
those http URIs are only ever found in configuration files, never on
the wire.

The use of userinfo on the wire is obviously a security nightmare, and
I welcome bold warnings about its use, but I wonder if requiring they
be treated as erroneous is necessary, especially when there's so many
existing agents which silently ignore it (just tested Firefox 3.6.8,
latest Chrome beta, wget), or support it by initiating basic auth
(curl).

Mark.
Received on Wednesday, 28 July 2010 04:03:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:23 GMT