Re: URL disambiguation

michael.mccormick@wellsfargo.com wrote:
> _http://no-www.org/_
> _http://yes-www.org/_
> 
> No doubt most of you are familiar with these web sites, and with the 
> arguments for and against requiring host names in URLs.
> 
> Most browsers seem to make it a moot point by accepting both forms of 
> URL.  

Does the browser? Isn't that usually done via a CNAME in DNS or else
by having two A records for the server? It'd be wrong for a browser to
assume that the A record for tcd.ie and www.tcd.ie need to be the
same.

S.

 > If I type "example.com" into my browser it takes me to
> _http://www.example.com_.  The agent is letting me be lazy and skip 
> typing the protocol (_http://_) or hostname (_www._ <file://www.>) 
> portions of my destination address.
> 
> The process of URL disambiguation, whereby the UA attempts to guess 
> parts of the address the user has omitted, should be standardized for 
> both security & experience reasons:
> 
> [protocol://][host.][domain][.TLD][:port][/[path]][?query]
> 
>  - If protocol omitted, UA must try https before http.  (Always prefer a 
> TLS protected destination.)
> 
>  - If host omitted, and protocol is http(s), UA may try the host name 
> "www" in the target domain if it has a DNS record, unless the agent is 
> in SBM mode.
> 
>  - etc.
> 
> 
> *Michael McCormick, CISSP*
> Lead Security Architect, Information Security Technologies
> Wells Fargo Bank
> “THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS 
> FARGO"
> /This message may contain confidential and/or privileged information.  
> If you are not the addressee or authorized to receive this for the 
> addressee, you must not use, copy, disclose, or take any action based on 
> this message or any information herein.  If you have received this 
> message in error, please advise the sender immediately by reply e-mail 
> and delete this message.  Thank you for your cooperation./
>

Received on Tuesday, 4 March 2008 20:00:38 UTC