- From: Mark Nottingham <notifications@github.com>
- Date: Thu, 11 Jan 2018 00:29:14 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 11 January 2018 00:29:37 UTC
>From http://httpwg.org/specs/rfc7230.html#http.uri -- > The URI generic syntax for authority also includes a deprecated userinfo subcomponent ([RFC3986], Section 3.2.1) for including user authentication information in the URI. Some implementations make use of the userinfo component for internal configuration of authentication information, such as within command invocation options, configuration files, or bookmark lists, even though such usage might expose a user identifier or password. A sender MUST NOT generate the userinfo subcomponent (and its "@" delimiter) when an "http" URI reference is generated within a message as a request target or header field value. Before making use of an "http" URI reference received from an untrusted source, a recipient SHOULD parse for userinfo and treat its presence as an error; it is likely being used to obscure the authority for the sake of phishing attacks. Background: - https://trac.ietf.org/trac/httpbis/ticket/159 - http://www.w3.org/mid/10027AF0-B1AF-41FF-BCD5-AA479697C1AD@gbiv.com (thread) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/465#issuecomment-356784130
Received on Thursday, 11 January 2018 00:29:37 UTC