W3C home > Mailing lists > Public > uri@w3.org > February 2004

Re: userinfo allowed in http URI or not?

From: Roy T. Fielding <fielding@gbiv.com>
Date: Sun, 1 Feb 2004 23:16:14 -0800
Cc: uri@w3.org
To: "Kai Schaetzl" <maillists@conactive.com>
Message-Id: <AFA54814-554F-11D8-B29B-000393753936@gbiv.com>

> http://www.iana.org/assignments/uri-schemes says 2616 is relevant for 
> http
> URIs and not 1738 anymore
> 2616 refers to 2396 for http URIs

Only for the syntax constructs.  The syntax for the http scheme
is defined in 2616 and does not allow userinfo.

> Well, is it a valid http URI or not? Why is there so much confusion in 
> the
> documents? Could you please add a definitive statement on userinfo in
> 2396bis and either add it explicitely to the BNF syntax or clearly 
> state
> it's invalid?

2396 defines the generic syntax for all schemes, some of which include
userinfo as a valid option.  It is not appropriate for it to say 
anything
more than it already does, which is basically that it is not recommended
for any scheme.

Getting implementers to understand that passive user security is more
important than backwards compatibility has proven to be difficult.
The spec has to draw a fine line between describing how existing
systems work and how they should work, particularly when the software
is revised faster than the specifications.

....Roy
Received on Monday, 2 February 2004 02:15:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 January 2011 12:15:32 GMT