Re: userinfo in :authority from Amos Jeffries on 2014-01-06 (ietf-http-wg@w3.org from January to March 2014)

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 07 Jan 2014 09:23:49 +1300
To: ietf-http-wg@w3.org
Message-ID: <0c1e9beb7ac7d4e4fb68d99b9cecd22c@treenet.co.nz>

On 2014-01-07 08:55, Martin Thomson wrote:
> I just closed #334 by prohibiting userinfo in :authority.
> 
> https://github.com/http2/http2-spec/issues/334
> 
> If anyone thinks that this is a bad idea, and thinks that this needs
> to be weaker, discuss.

If the HTTP/2 field is going to hold the authority info it rally should 
hold the whole authority info and not encourage eliding details.

Counter to the comment in github, it is only the "user:password" usage 
of userinfo which is deprecated. The field itself is not deprecated and 
is being used in some applications to relay items like Bearer tokens or 
"scheme-specific information about how to gain authorization" in a safer 
way than via query parameter or path.

If it is going to be split off from authority, please document a mapping 
that preserves it for consistency across 1.1->2.0->1.1 gateways.

Amos

Received on Monday, 6 January 2014 20:24:16 UTC