- From: <michael.mccormick@wellsfargo.com>
- Date: Tue, 4 Mar 2008 14:33:23 -0600
- To: <stephen.farrell@cs.tcd.ie>
- Cc: <public-wsc-wg@w3.org>
I agree with you Stephen. Specifically I would say: "The user agent MUST NOT disambiguate the URL host name when in Safe Browsing Mode, and SHOULD NOT do so in other modes of operation" where host disambiguation is specifically defined to mean "Try alternate host names such as 'www' when the input host name is irresolvable via standard domain name services". Thanks, Mike -----Original Message----- From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] Sent: Tuesday, March 04, 2008 2:25 PM To: McCormick, Mike Cc: public-wsc-wg@w3.org Subject: Re: URL disambiguation michael.mccormick@wellsfargo.com wrote: > There are several possible scenarios, including: > > 1. tcd.ie and www.tcd.ie both have A records 2. www.tcd.ie has an A > record and tcd.ie has a CNAME record aliased to it 3. only www.tcd.ie > has a DNS record > > I was focused on scenario 3. I don't see scenarios 1 or 2 as > requiring any URL disambiguation in the browser. > > In scenario 3 I believe there are some browsers that will send a user > who enters "tcd.ie" to www.tcd.ie instead of returning a Domain Does > Not Exist error. This is the behavior that I feel W3C should restrict > or at least standardize. Fair 'nuff. My take would be to tell the browsers not to mess about it in that case, unless the user is in some kind of auto-complete mode that they've agreed to, or can turn off. S. > > I hope this clarifies my intent. > > Cheers, Mike > > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > Sent: Tuesday, March 04, 2008 1:45 PM > To: McCormick, Mike > Cc: public-wsc-wg@w3.org > Subject: Re: URL disambiguation > > > > michael.mccormick@wellsfargo.com wrote: >> _http://no-www.org/_ >> _http://yes-www.org/_ >> >> No doubt most of you are familiar with these web sites, and with the >> arguments for and against requiring host names in URLs. >> >> Most browsers seem to make it a moot point by accepting both forms of >> URL. > > Does the browser? Isn't that usually done via a CNAME in DNS or else > by having two A records for the server? It'd be wrong for a browser to > assume that the A record for tcd.ie and www.tcd.ie need to be the same. > > S. > > > If I type "example.com" into my browser it takes me to >> _http://www.example.com_. The agent is letting me be lazy and skip >> typing the protocol (_http://_) or hostname (_www._ <file://www.>) >> portions of my destination address. >> >> The process of URL disambiguation, whereby the UA attempts to guess >> parts of the address the user has omitted, should be standardized for >> both security & experience reasons: >> >> [protocol://][host.][domain][.TLD][:port][/[path]][?query] >> >> - If protocol omitted, UA must try https before http. (Always >> prefer > >> a TLS protected destination.) >> >> - If host omitted, and protocol is http(s), UA may try the host name >> "www" in the target domain if it has a DNS record, unless the agent >> is > >> in SBM mode. >> >> - etc. >> >> >> *Michael McCormick, CISSP* >> Lead Security Architect, Information Security Technologies Wells >> Fargo > >> Bank "THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF >> WELLS FARGO" >> /This message may contain confidential and/or privileged information. > >> If you are not the addressee or authorized to receive this for the >> addressee, you must not use, copy, disclose, or take any action based >> on this message or any information herein. If you have received this >> message in error, please advise the sender immediately by reply >> e-mail > >> and delete this message. Thank you for your cooperation./ >> > > >
Received on Tuesday, 4 March 2008 20:34:55 UTC