RE: URL disambiguation from michael.mccormick@wellsfargo.com on 2008-03-04 (public-wsc-wg@w3.org from March 2008)

From: <michael.mccormick@wellsfargo.com>
Date: Tue, 4 Mar 2008 15:11:04 -0600
To: <ifette@google.com>
Cc: <stephen.farrell@cs.tcd.ie>, <public-wsc-wg@w3.org>
Message-ID: <9D471E876696BE4DA103E939AE64164DF39927@msgswbmnmsp17.wellsfargo.com>
Users may find it convenient but this is risky UA behavior from a
security perspective in my opinion.  I don't like browsers second
guessing location or changing the URL in non-RFC fashion.
 
That being said, I could probably be persuaded that substituting null
hostname with www is a special case provided it's not HTTPS nor SBM.  No
other substitutions should be allowed though.
 


  _____  

From: Ian Fette [mailto:ifette@google.com] 
Sent: Tuesday, March 04, 2008 2:54 PM
To: McCormick, Mike
Cc: stephen.farrell@cs.tcd.ie; public-wsc-wg@w3.org
Subject: Re: URL disambiguation


Why are we saying that it shouldn't be done in other modes? If (for some
strange reason) somesite.com doesn't work, and the browser tries
www.somesite.com, I would view that as being helpful. Given that it's
something that many people rely on, I'd be surprised if you got any
traction for taking it out. 

Obviously I think the browser should first try somesite.com, and if that
returns a result (either an A record or a CNAME) that should be honored,
but if not, it seems like it's in the interest of the user for the
browser to try www.

-Ian


On Tue, Mar 4, 2008 at 12:33 PM, <michael.mccormick@wellsfargo.com>
wrote:



	I agree with you Stephen.
	
	Specifically I would say: "The user agent MUST NOT disambiguate
the URL
	host name when in Safe Browsing Mode, and SHOULD NOT do so in
other
	modes of operation" where host disambiguation is specifically
defined to
	mean "Try alternate host names such as 'www' when the input host
name is
	irresolvable via standard domain name services".
	
	Thanks, Mike
	


	-----Original Message-----
	From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
	
	Sent: Tuesday, March 04, 2008 2:25 PM
	To: McCormick, Mike
	Cc: public-wsc-wg@w3.org
	Subject: Re: URL disambiguation
	
	
	
	michael.mccormick@wellsfargo.com wrote:
	> There are several possible scenarios, including:
	>
	> 1. tcd.ie and www.tcd.ie both have A records 2. www.tcd.ie has
an A
	> record and tcd.ie has a CNAME record aliased to it 3. only
www.tcd.ie
	> has a DNS record
	>
	> I was focused on scenario 3.  I don't see scenarios 1 or 2 as
	> requiring any URL disambiguation in the browser.
	>
	> In scenario 3 I believe there are some browsers that will send
a user
	> who enters "tcd.ie" to www.tcd.ie instead of returning a
Domain Does
	> Not Exist error.  This is the behavior that I feel W3C should
restrict
	
	> or at least standardize.
	
	Fair 'nuff. My take would be to tell the browsers not to mess
about it
	in that case, unless the user is in some kind of auto-complete
mode that
	they've agreed to, or can turn off.
	
	S.
	
	>
	> I hope this clarifies my intent.
	>
	> Cheers, Mike
	>
	> -----Original Message-----
	> From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
	> Sent: Tuesday, March 04, 2008 1:45 PM
	> To: McCormick, Mike
	> Cc: public-wsc-wg@w3.org
	> Subject: Re: URL disambiguation
	>
	>
	>
	> michael.mccormick@wellsfargo.com wrote:
	>> _http://no-www.org/_
	>> _http://yes-www.org/_
	>>
	>> No doubt most of you are familiar with these web sites, and
with the
	>> arguments for and against requiring host names in URLs.
	>>
	>> Most browsers seem to make it a moot point by accepting both
forms of
	
	>> URL.
	>
	> Does the browser? Isn't that usually done via a CNAME in DNS
or else
	> by having two A records for the server? It'd be wrong for a
browser to
	
	> assume that the A record for tcd.ie and www.tcd.ie need to be
the
	same.
	>
	> S.
	>
	>  > If I type "example.com" into my browser it takes me to
	>> _http://www.example.com_.  The agent is letting me be lazy
and skip
	>> typing the protocol (_http://_) or hostname (_www._
<file://www.>)
	>> portions of my destination address.
	>>
	>> The process of URL disambiguation, whereby the UA attempts to
guess
	>> parts of the address the user has omitted, should be
standardized for
	
	>> both security & experience reasons:
	>>
	>> [protocol://][host.][domain][.TLD][:port][/[path]][?query]
	>>
	>>  - If protocol omitted, UA must try https before http.
(Always
	>> prefer
	>
	>> a TLS protected destination.)
	>>
	>>  - If host omitted, and protocol is http(s), UA may try the
host name
	
	>> "www" in the target domain if it has a DNS record, unless the
agent
	>> is
	>
	>> in SBM mode.
	>>
	>>  - etc.
	>>
	>>
	>> *Michael McCormick, CISSP*
	>> Lead Security Architect, Information Security Technologies
Wells
	>> Fargo
	>
	>> Bank "THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY
THOSE OF
	
	>> WELLS FARGO"
	>> /This message may contain confidential and/or privileged
information.
	>
	>> If you are not the addressee or authorized to receive this
for the
	>> addressee, you must not use, copy, disclose, or take any
action based
	
	>> on this message or any information herein.  If you have
received this
	
	>> message in error, please advise the sender immediately by
reply
	>> e-mail
	>
	>> and delete this message.  Thank you for your cooperation./
	>>
	>
	>
	>
Received on Tuesday, 4 March 2008 21:12:10 UTC