- From: Eran Hammer-Lahav <eran@hueniverse.com>
- Date: Thu, 22 Apr 2010 00:26:13 -0700
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
It's not intuitive for the occasional real to figure out that absolute-URI doesn't include fragment. Now that it was pointed out to me, it seems pretty straight forward. I think it will help developer avoid this mistake (of sending a fragment), but then again, I'm not sure how many of them will read the spec that closely. I am going to make it clear in the OAuth spec because sending the fragment is a security risk. EHL > -----Original Message----- > From: Julian Reschke [mailto:julian.reschke@gmx.de] > Sent: Wednesday, April 21, 2010 11:58 PM > To: Eran Hammer-Lahav > Cc: HTTP Working Group (ietf-http-wg@w3.org) > Subject: Re: Explicit instructions on use of fragment in request URI > > On 22.04.2010 08:49, Eran Hammer-Lahav wrote: > > I'm not looking for a MUST NOT. But it would be nice for the spec to say > "btw, you can't use fragments here". > > > > I always knew fragments are not allowed, but when asked, I couldn't show > where that's defined. And because HTTP doesn't make it easy, OAuth has to > make developers aware of that. > > ... > > Still trying to understand the issue. > > The ABNF doesn't allow the fragment here; is that really so hard to spot? > > Best regards, Julian
Received on Thursday, 22 April 2010 07:33:39 UTC