Re: XMLHttpRequest Object feedback

* Anne van Kesteren wrote:
>> Internet Explorer removed support for illegal HTTP URLs such as the one
>> you've provided above because it has been abused too much in phishing
>> mails. For other schemes where this is perfectly valid, like ftp, it
>> works just fine in Internet Explorer.
>
>What does IE does in such cases and do we want the draft to reflect that?

Internet Explorer 6 and 7 correctly discourage coding practices that are
in violation of RFC 2616 and raises an exception on an attempt to open()
such a URL. Opera9 and Firefox encourage incorrect and non-interoperable
coding practices and use the "specified" user name and password if and
when challenged for them by the server, contrary to the draft which re-
quires not to respond to a challenge.

We should

  * clearly point out that specification of user name and/or password
    in the URL depends on the URL scheme and for HTTP this is not
    allowed per RFC 2616

  * define password and user name handling in terms of where to get
    those from when challenged for them (e.g., if cross-protocol re-
    quests are supported and an initial HTTP request yields in a 301
    with Location: ftp://user:pass@... you'd use those instead of
    something specified on open() or the initial URL).

  * not prohibit properly responding to a 401 challenge

  * specify error handling for unsupported URLs

  * specify error handling when "If the response is an HTTP redirect
    (status code 301, 302, 303 or 307), then it MUST be transparently
    followed (unless it violates security or infinite loop precautions)"
    cannot be satisfied due to other reasons, like a redirect to an
    unsupported URL scheme

and all sorts of other things...
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

Received on Sunday, 14 May 2006 17:03:43 UTC