RE: Explicit instructions on use of fragment in request URI

It's not intuitive for the occasional real to figure out that absolute-URI doesn't include fragment. Now that it was pointed out to me, it seems pretty straight forward. I think it will help developer avoid this mistake (of sending a fragment), but then again, I'm not sure how many of them will read the spec that closely. I am going to make it clear in the OAuth spec because sending the fragment is a security risk.


> -----Original Message-----
> From: Julian Reschke []
> Sent: Wednesday, April 21, 2010 11:58 PM
> To: Eran Hammer-Lahav
> Cc: HTTP Working Group (
> Subject: Re: Explicit instructions on use of fragment in request URI
> On 22.04.2010 08:49, Eran Hammer-Lahav wrote:
> > I'm not looking for a MUST NOT. But it would be nice for the spec to say
> "btw, you can't use fragments here".
> >
> > I always knew fragments are not allowed, but when asked, I couldn't show
> where that's defined. And because HTTP doesn't make it easy, OAuth has to
> make developers aware of that.
> > ...
> Still trying to understand the issue.
> The ABNF doesn't allow the fragment here; is that really so hard to spot?
> Best regards, Julian

Received on Thursday, 22 April 2010 07:33:39 UTC