Re: disallowing userinfo in http and https URIs

Hi Roy,

On Tue, Jul 27, 2010 at 9:59 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
> FYI, I added the following paragraph for draft 11 as part of addressing
> ticket #159 in
>
>  http://trac.tools.ietf.org/wg/httpbis/trac/changeset/877
>
> p1, sec 2.6.1:  added paragraph:
>
>   The URI generic syntax for authority also includes a deprecated
>   userinfo subcomponent ([RFC3986], Section 3.2.1) for including
>   user authentication information in the URI. The userinfo
>   subcomponent (and its "@" delimiter) MUST NOT be used in an
>   "http" URI. URI reference recipients SHOULD parse for the
>   existence of userinfo and treat its presence as an error,
>   likely indicating that the deprecated subcomponent is being used
>   to obscure the authority for the sake of phishing attacks.
>
> I'm pretty sure that this topic was discussed before on list, though
> I can't find the thread at the moment.  Please let us know if you
> disagree with this change.

FWIW, we use this construct in the Akara HTTP server project, but
those http URIs are only ever found in configuration files, never on
the wire.

The use of userinfo on the wire is obviously a security nightmare, and
I welcome bold warnings about its use, but I wonder if requiring they
be treated as erroneous is necessary, especially when there's so many
existing agents which silently ignore it (just tested Firefox 3.6.8,
latest Chrome beta, wget), or support it by initiating basic auth
(curl).

Mark.

Received on Wednesday, 28 July 2010 04:03:21 UTC