Re: hidden source code html

Mike Meyer (mwm@contessa.phone.net)
Wed, 4 Oct 95 11:00:55 PST


Subject:  Re: Re: hidden source code html
In-Reply-To: <m0t0VtA-0001M2C@cg57.esnet.com>
From: mwm@contessa.phone.net (Mike Meyer)
Date: Wed, 4 Oct 95 11:00:55 PST
Message-Id: <19951004.78D3A18.A61B@contessa.phone.net>
To: www-html@w3.org

> Well Jon, the original question -- at least, _my_ original Usenet question --
> related to the use of a hyperlink of the form
>        ftp://user:password@ftp.some.site.uk
> which is permitted, but REALLY STUPID unless the code can be concealed.
> Isn't it?

No, it isn't. That username/password can be used to access an object
that you presumably want everyone who can access the web page
containing that URL to be able to get to. Since they can get the
object from that web page, there shouldn't be any harm in them having
the username/password pair.

Now, if that username/password pair is used to protect something in
addition to the object the URL points at, then something stupid is
going on. It's that someone is trying to use a single
username/password pair to protect two different things at (presumably)
different levels of security. The latter thing should be fixed.

BTW, even if you could encrypt the HTML in some way, you've still got
to prevent the browser from displaying the URL of the document it
fetches, as that will contain the username/password pair as well.

	<mike