- From: Eran Hammer-Lahav <eran@hueniverse.com>
- Date: Wed, 21 Apr 2010 23:19:58 -0700
- To: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
This came up in the OAuth WG. One of the flows used to obtain a token relies on the fact that browsers don't sent the fragment over to the server and uses it to encoded credentials visible only to the browser (server provides them via a redirect Location header). I was asked what stops the browser from sending the fragment. I spent some time trying to find where 2616 forbids including the fragment and the best I came up with is from 3986: the fragment identifier is separated from the rest of the URI prior to a dereference, and thus the identifying information within the fragment itself is dereferenced solely by the user agent, regardless of the URI scheme. Mark pointed me to the definition of request-URI which is abs_path or absoluteURI from 2396, which in turn do not allow a fragment. Would it be possible to make this easier? Something like "the request URI MUST NOT include a fragment component"... :-) EHL
Received on Thursday, 22 April 2010 06:20:42 UTC