disallowing userinfo in http and https URIs

FYI, I added the following paragraph for draft 11 as part of addressing
ticket #159 in


p1, sec 2.6.1:  added paragraph:

   The URI generic syntax for authority also includes a deprecated
   userinfo subcomponent ([RFC3986], Section 3.2.1) for including
   user authentication information in the URI. The userinfo
   subcomponent (and its "@" delimiter) MUST NOT be used in an
   "http" URI. URI reference recipients SHOULD parse for the
   existence of userinfo and treat its presence as an error,
   likely indicating that the deprecated subcomponent is being used
   to obscure the authority for the sake of phishing attacks.

I'm pretty sure that this topic was discussed before on list, though
I can't find the thread at the moment.  Please let us know if you
disagree with this change.


Received on Wednesday, 28 July 2010 01:59:44 UTC