- From: <wizard@newsreports.org>
- Date: Fri, 30 Jan 2004 20:27:29 -0500
- To: mikehow@microsoft.com, ietf-http-wg-request@w3.org, HTTP Working Group <ietf-http-wg@w3.org>, mikehow@microsoft.com
- Cc: Dave Kristol <dmk@acm.org>
Michael, Off the top of my head, so I may be totally off base :) But, username:password@example.com is a valid uri in the http protocol. It follows, therefore, that it is a valid HREF value in an <A> tag. If the browser then does something other than is intended when the <A> tag is invoked, then it is arguably non-compliant. That is my argument in a nutshell. Now, I could get all scholarly and dig out all the references, but this would make the argument much more obtuse and hard to follow. I would not advance anything that I did not feel was supported in the relevant RFC's. Now, as a matter of practicality, IE is a Microsoft product and Microsoft can do as it wishes. Further, it can be argued that this is not a common usage of a uri. But, it *is* used and useful. To break it would be a shame. Especially if the shortcomings can be solved another way. To reiterate, the two problems that are referenced fall into the category of program bug, and rendering that is suitable for the majority of users. This is not a failing in the usage of the particular uri format at all. By kicking up a fuss as early as possible, I am hoping that more consideration will be given to a non-intrusive fix that will leave the intended functionality intact. Best Regards, Bob Michael Howard wrote: > > The plan, and it may change, is to nix username:pwd@ in a url. Correct > me if I'm wrong, but this format is only valid for ftp, not http. > > Cheers, Michael > > [Writing Secure Code 2nd Edition] > http://www.microsoft.com/mspress/books/5957.asp > [Protect Your PC] http://www.microsoft.com/protect > [Blog] http://blogs.msdn.com/michael_howard > > -----Original Message----- > From: wizard@newsreports.org [mailto:wizard@newsreports.org] > Sent: Friday, January 30, 2004 1:35 PM > To: ietf-http-wg-request@w3.org; HTTP Working Group; Michael Howard > Cc: Dave Kristol > Subject: Re: Microsoft to Strike IE URL Passwords > > Michael, > > Is this not really a rendering problem? > > This remark includes the "%01" problem, > and user perception that the leading > part before the "@" is the web site. > > The first is a problem internal to the > browser, and should be fixed. > > The second is a rendering problem, in > that many users do not know the difference. > Therefore, it is more useful to present > the url to the user without the credentials portion. > > If the embedded credentials are permitted in a valid url, and that url > is embedded as, for example, the href of an <a> tag, and the browser > does not retrieve the referenced resource, then the browser is broken. > > Removing this valid behaviour will, in some cases, break many months of > work. I am involved in one such case. > > Bob > > Michael Howard wrote: > > > > Only the form: "http(s)://username:password@server/resource.ext" is > > being removed; basic auth is untouched. > > > > Cheers, Michael > > > > [Writing Secure Code 2nd Edition] > > http://www.microsoft.com/mspress/books/5957.asp > > [Protect Your PC] http://www.microsoft.com/protect [Blog] > > http://blogs.msdn.com/michael_howard > > > > -----Original Message----- > > From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org] > > On Behalf Of Dave Kristol > > Sent: Thursday, January 29, 2004 11:38 AM > > To: HTTP Working Group > > Subject: Microsoft to Strike IE URL Passwords > > > > <http://www.internetnews.com/dev-news/article.php/3305741> > > > > If I understand this article correctly, it sounds like MS IE will > > remove support for Basic Authentication. While we all agree that > > cleartext passwords are evil, this sounds to me like it will create a > > major compatibility problem at sites that use Basic. And note that it > > > covers Basic over SSL, too, where the passwords would *not* be > cleartext. > > > > Dave Kristol > > -- > > ------------------------------------------------------------------ > FREE DOWNLOADS > > iis bandwidth protection -- http://coldlink.com/ > > iis password protection -- http://wanderware.com/ > > ------------------------------------------------------------------ > > .. -- ------------------------------------------------------------------ FREE DOWNLOADS iis bandwidth protection -- http://coldlink.com/ iis password protection -- http://wanderware.com/ ------------------------------------------------------------------ ..
Received on Friday, 30 January 2004 20:23:24 UTC