Re: Adding user@ to HTTP[S] URIs from Rick van Rein on 2020-01-26 (ietf-http-wg@w3.org from January to March 2020)

From: Rick van Rein <rick@openfortress.nl>
Date: Sun, 26 Jan 2020 10:59:38 +0100
To: Austin Wright <aaa@bzfx.net>
CC: "HTTPbis WG (IETF)" <ietf-http-wg@w3.org>
Message-ID: <5E2D630A.604@openfortress.nl>

Austin Wright wrote:

> I think what the http-wg list is saying is, while the feature could be defined and standardized, user-agents cannot be obligated to support it.

I know, but this kind of thinking is always hindering HTTP progress or,
more in general, the development of any client/server protocol in use.
This style of thought is not helpful during innovation, I think.

Note that what I am tackling here is based on misinterpretation of
RFC3986, so it is a bug that ought to be fixed.  Also note that nothing
is breaking by adding this facilty, only enforcing its use could.

Users who do have a compliant user agent can immediately experience the
benefits for their own use, against their own sites.  That might be
their own IDP, but the support might explode when large providers
support it, as in https://godfried.boomans@gmail.com for access to webmail.

Thanks,
 -Rick

> Consider: If a user clicks on your link, some user agents will send:
> 
> GET /index.html HTTP/1.1
> Host: example.com
> User: john
> 
> And others will send (because they choose not to implement the feature):
> 
> GET /index.html HTTP/1.1
> Host: example.com
> 
> So what functionality is this offering, if servers can’t rely on user agents sending the header?
> 
> There’s an easy solution, just put it in the hier-part:
> 
> http://example.com/~john/index.html
> 
> Or maybe define a standard that allows the _server_ to specify: “URIs of this format <http://example.com/~{user}/> belong to the specified user”
> 
> Austin Wright.
> 
> 
>> On Jan 25, 2020, at 08:59, Rick van Rein <rick@openfortress.nl> wrote:
>>
>> Hi Daniel,
>>
>>> You can't fix this simply by saying that setting the name part of the
>>> userinfo in a HTTP URI is OK. HTTP has no established way to send a
>>> user name outside of authentication.
>> Exactly.  That's why I started this thread with an Internet Draft,
>> https://datatracker.ietf.org/doc/draft-vanrein-http-unauth-user/
>>
>> For http://john@example.com/index.html it sends
>>
>> GET /index.html HTTP/1.1
>> Host: example.com
>> User: john
>>
>>
>> Cheers,
>> -Rick
>>
>

Received on Sunday, 26 January 2020 10:00:11 UTC