RE: URL disambiguation from michael.mccormick@wellsfargo.com on 2008-03-04 (public-wsc-wg@w3.org from March 2008)

From: <michael.mccormick@wellsfargo.com>
Date: Tue, 4 Mar 2008 13:59:51 -0600
To: <stephen.farrell@cs.tcd.ie>
Cc: <public-wsc-wg@w3.org>
Message-ID: <9D471E876696BE4DA103E939AE64164DF398A2@msgswbmnmsp17.wellsfargo.com>

There are several possible scenarios, including:

1. tcd.ie and www.tcd.ie both have A records
2. www.tcd.ie has an A record and tcd.ie has a CNAME record aliased to
it
3. only www.tcd.ie has a DNS record

I was focused on scenario 3.  I don't see scenarios 1 or 2 as requiring
any URL disambiguation in the browser.

In scenario 3 I believe there are some browsers that will send a user
who enters "tcd.ie" to www.tcd.ie instead of returning a Domain Does Not
Exist error.  This is the behavior that I feel W3C should restrict or at
least standardize.

I hope this clarifies my intent.

Cheers, Mike

-----Original Message-----
From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] 
Sent: Tuesday, March 04, 2008 1:45 PM
To: McCormick, Mike
Cc: public-wsc-wg@w3.org
Subject: Re: URL disambiguation



michael.mccormick@wellsfargo.com wrote:
> _http://no-www.org/_
> _http://yes-www.org/_
> 
> No doubt most of you are familiar with these web sites, and with the 
> arguments for and against requiring host names in URLs.
> 
> Most browsers seem to make it a moot point by accepting both forms of 
> URL.

Does the browser? Isn't that usually done via a CNAME in DNS or else by
having two A records for the server? It'd be wrong for a browser to
assume that the A record for tcd.ie and www.tcd.ie need to be the same.

S.

 > If I type "example.com" into my browser it takes me to
> _http://www.example.com_.  The agent is letting me be lazy and skip 
> typing the protocol (_http://_) or hostname (_www._ <file://www.>) 
> portions of my destination address.
> 
> The process of URL disambiguation, whereby the UA attempts to guess 
> parts of the address the user has omitted, should be standardized for 
> both security & experience reasons:
> 
> [protocol://][host.][domain][.TLD][:port][/[path]][?query]
> 
>  - If protocol omitted, UA must try https before http.  (Always prefer

> a TLS protected destination.)
> 
>  - If host omitted, and protocol is http(s), UA may try the host name 
> "www" in the target domain if it has a DNS record, unless the agent is

> in SBM mode.
> 
>  - etc.
> 
> 
> *Michael McCormick, CISSP*
> Lead Security Architect, Information Security Technologies Wells Fargo

> Bank "THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF 
> WELLS FARGO"
> /This message may contain confidential and/or privileged information.

> If you are not the addressee or authorized to receive this for the 
> addressee, you must not use, copy, disclose, or take any action based 
> on this message or any information herein.  If you have received this 
> message in error, please advise the sender immediately by reply e-mail

> and delete this message.  Thank you for your cooperation./
>

Received on Tuesday, 4 March 2008 20:01:37 UTC