- From: Ian Fette <ifette@google.com>
- Date: Tue, 4 Mar 2008 12:53:55 -0800
- To: michael.mccormick@wellsfargo.com
- Cc: stephen.farrell@cs.tcd.ie, public-wsc-wg@w3.org
- Message-ID: <bbeaa26f0803041253u717aaf8fnc704672313fb34b3@mail.gmail.com>
Why are we saying that it shouldn't be done in other modes? If (for some strange reason) somesite.com doesn't work, and the browser tries www.somesite.com, I would view that as being helpful. Given that it's something that many people rely on, I'd be surprised if you got any traction for taking it out. Obviously I think the browser should first try somesite.com, and if that returns a result (either an A record or a CNAME) that should be honored, but if not, it seems like it's in the interest of the user for the browser to try www. -Ian On Tue, Mar 4, 2008 at 12:33 PM, <michael.mccormick@wellsfargo.com> wrote: > > I agree with you Stephen. > > Specifically I would say: "The user agent MUST NOT disambiguate the URL > host name when in Safe Browsing Mode, and SHOULD NOT do so in other > modes of operation" where host disambiguation is specifically defined to > mean "Try alternate host names such as 'www' when the input host name is > irresolvable via standard domain name services". > > Thanks, Mike > > > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > Sent: Tuesday, March 04, 2008 2:25 PM > To: McCormick, Mike > Cc: public-wsc-wg@w3.org > Subject: Re: URL disambiguation > > > > michael.mccormick@wellsfargo.com wrote: > > There are several possible scenarios, including: > > > > 1. tcd.ie and www.tcd.ie both have A records 2. www.tcd.ie has an A > > record and tcd.ie has a CNAME record aliased to it 3. only www.tcd.ie > > has a DNS record > > > > I was focused on scenario 3. I don't see scenarios 1 or 2 as > > requiring any URL disambiguation in the browser. > > > > In scenario 3 I believe there are some browsers that will send a user > > who enters "tcd.ie" to www.tcd.ie instead of returning a Domain Does > > Not Exist error. This is the behavior that I feel W3C should restrict > > > or at least standardize. > > Fair 'nuff. My take would be to tell the browsers not to mess about it > in that case, unless the user is in some kind of auto-complete mode that > they've agreed to, or can turn off. > > S. > > > > > I hope this clarifies my intent. > > > > Cheers, Mike > > > > -----Original Message----- > > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > > Sent: Tuesday, March 04, 2008 1:45 PM > > To: McCormick, Mike > > Cc: public-wsc-wg@w3.org > > Subject: Re: URL disambiguation > > > > > > > > michael.mccormick@wellsfargo.com wrote: > >> _http://no-www.org/_ > >> _http://yes-www.org/_ > >> > >> No doubt most of you are familiar with these web sites, and with the > >> arguments for and against requiring host names in URLs. > >> > >> Most browsers seem to make it a moot point by accepting both forms of > > >> URL. > > > > Does the browser? Isn't that usually done via a CNAME in DNS or else > > by having two A records for the server? It'd be wrong for a browser to > > > assume that the A record for tcd.ie and www.tcd.ie need to be the > same. > > > > S. > > > > > If I type "example.com" into my browser it takes me to > >> _http://www.example.com_. The agent is letting me be lazy and skip > >> typing the protocol (_http://_) or hostname (_www._ <file://www.>) > >> portions of my destination address. > >> > >> The process of URL disambiguation, whereby the UA attempts to guess > >> parts of the address the user has omitted, should be standardized for > > >> both security & experience reasons: > >> > >> [protocol://][host.][domain][.TLD][:port][/[path]][?query] > >> > >> - If protocol omitted, UA must try https before http. (Always > >> prefer > > > >> a TLS protected destination.) > >> > >> - If host omitted, and protocol is http(s), UA may try the host name > > >> "www" in the target domain if it has a DNS record, unless the agent > >> is > > > >> in SBM mode. > >> > >> - etc. > >> > >> > >> *Michael McCormick, CISSP* > >> Lead Security Architect, Information Security Technologies Wells > >> Fargo > > > >> Bank "THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF > > >> WELLS FARGO" > >> /This message may contain confidential and/or privileged information. > > > >> If you are not the addressee or authorized to receive this for the > >> addressee, you must not use, copy, disclose, or take any action based > > >> on this message or any information herein. If you have received this > > >> message in error, please advise the sender immediately by reply > >> e-mail > > > >> and delete this message. Thank you for your cooperation./ > >> > > > > > > > > >
Received on Tuesday, 4 March 2008 20:54:31 UTC