Re: disallowing userinfo in http and https URIs

Mark Baker wrote:
> Hi Roy,
> On Tue, Jul 27, 2010 at 9:59 PM, Roy T. Fielding <> wrote:
>> FYI, I added the following paragraph for draft 11 as part of addressing
>> ticket #159 in
>> p1, sec 2.6.1:  added paragraph:
>>   The URI generic syntax for authority also includes a deprecated
>>   userinfo subcomponent ([RFC3986], Section 3.2.1) for including
>>   user authentication information in the URI. The userinfo
>>   subcomponent (and its "@" delimiter) MUST NOT be used in an
>>   "http" URI. URI reference recipients SHOULD parse for the
>>   existence of userinfo and treat its presence as an error,
>>   likely indicating that the deprecated subcomponent is being used
>>   to obscure the authority for the sake of phishing attacks.
>> I'm pretty sure that this topic was discussed before on list, though
>> I can't find the thread at the moment.  Please let us know if you
>> disagree with this change.
> FWIW, we use this construct in the Akara HTTP server project, but
> those http URIs are only ever found in configuration files, never on
> the wire.
Right. I personally find this use case quite compelling.
> The use of userinfo on the wire is obviously a security nightmare, and
> I welcome bold warnings about its use, but I wonder if requiring they
> be treated as erroneous is necessary, especially when there's so many
> existing agents which silently ignore it (just tested Firefox 3.6.8,
> latest Chrome beta, wget), or support it by initiating basic auth
> (curl).
Either this, or clarify that the userinfo part is not allowed in HTTP 
(but maybe used in other contexts).
It would probably be safer to prohibit userinfo use on the wire.

Received on Wednesday, 28 July 2010 08:22:25 UTC