Explicit instructions on use of fragment in request URI

This came up in the OAuth WG. One of the flows used to obtain a token relies on the fact that browsers don't sent the fragment over to the server and uses it to encoded credentials visible only to the browser (server provides them via a redirect Location header). I was asked what stops the browser from sending the fragment.

I spent some time trying to find where 2616 forbids including the fragment and the best I came up with is from 3986:

   the fragment identifier is separated
   from the rest of the URI prior to a dereference, and thus the
   identifying information within the fragment itself is dereferenced
   solely by the user agent, regardless of the URI scheme.

Mark pointed me to the definition of request-URI which is abs_path or absoluteURI from 2396, which in turn do not allow a fragment.

Would it be possible to make this easier?

Something like "the request URI MUST NOT include a fragment component"... :-)


Received on Thursday, 22 April 2010 06:20:42 UTC