- From: <michael.mccormick@wellsfargo.com>
- Date: Tue, 4 Mar 2008 09:49:35 -0600
- To: <public-wsc-wg@w3.org>
- Message-ID: <9D471E876696BE4DA103E939AE64164DF39718@msgswbmnmsp17.wellsfargo.com>
http://no-www.org/ http://yes-www.org/ No doubt most of you are familiar with these web sites, and with the arguments for and against requiring host names in URLs. Most browsers seem to make it a moot point by accepting both forms of URL. If I type "example.com" into my browser it takes me to http://www.example.com. The agent is letting me be lazy and skip typing the protocol (http://) or hostname (www.) portions of my destination address. The process of URL disambiguation, whereby the UA attempts to guess parts of the address the user has omitted, should be standardized for both security & experience reasons: [protocol://][host.][domain][.TLD][:port][/[path]][?query] - If protocol omitted, UA must try https before http. (Always prefer a TLS protected destination.) - If host omitted, and protocol is http(s), UA may try the host name "www" in the target domain if it has a DNS record, unless the agent is in SBM mode. - etc. > Michael McCormick, CISSP > Lead Security Architect, Information Security Technologies > Wells Fargo Bank > "THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS > FARGO" > This message may contain confidential and/or privileged information. > If you are not the addressee or authorized to receive this for the > addressee, you must not use, copy, disclose, or take any action based > on this message or any information herein. If you have received this > message in error, please advise the sender immediately by reply e-mail > and delete this message. Thank you for your cooperation. >
Received on Tuesday, 4 March 2008 15:50:14 UTC