W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2020

Re: Adding user@ to HTTP[S] URIs

From: Rick van Rein <rick@openfortress.nl>
Date: Mon, 27 Jan 2020 14:54:04 +0100
Message-ID: <5E2EEB7C.9030100@openfortress.nl>
To: Daniel Stenberg <daniel@haxx.se>
CC: James Fuller <jim@webcomposite.com>, Austin Wright <aaa@bzfx.net>, "HTTPbis WG (IETF)" <ietf-http-wg@w3.org>
Also,

How shocking would it be to current usage of the Basic pattern to use an explicit, empty password?  Several other browsers use "foo:@localhost" for Basic if they want to avoid popups.

-Rick


> $ curl foo@localhost -v
> ...
>> GET / HTTP/1.1
>> Host: localhost
>> Authorization: Basic Zm9vOg==
>
> ... because userinfo in HTTP has only ever been there and used for
> authentication.
>
> (Zm9vOg== is "foo:" base64 encoded)
Received on Monday, 27 January 2020 13:54:41 UTC

This archive was generated by hypermail 2.4.0 : Monday, 27 January 2020 13:54:42 UTC