- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Tue, 27 Jul 2010 18:59:11 -0700
- To: HTTP Working Group <ietf-http-wg@w3.org>
FYI, I added the following paragraph for draft 11 as part of addressing ticket #159 in http://trac.tools.ietf.org/wg/httpbis/trac/changeset/877 p1, sec 2.6.1: added paragraph: The URI generic syntax for authority also includes a deprecated userinfo subcomponent ([RFC3986], Section 3.2.1) for including user authentication information in the URI. The userinfo subcomponent (and its "@" delimiter) MUST NOT be used in an "http" URI. URI reference recipients SHOULD parse for the existence of userinfo and treat its presence as an error, likely indicating that the deprecated subcomponent is being used to obscure the authority for the sake of phishing attacks. I'm pretty sure that this topic was discussed before on list, though I can't find the thread at the moment. Please let us know if you disagree with this change. ....Roy
Received on Wednesday, 28 July 2010 01:59:44 UTC