- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Tue, 04 Mar 2008 22:41:15 +0000
- To: Ian Fette <ifette@google.com>
- CC: michael.mccormick@wellsfargo.com, public-wsc-wg@w3.org
Ian Fette wrote: > Why are we saying that it shouldn't be done in other modes? If (for some > strange reason) somesite.com <http://somesite.com> doesn't work, and the > browser tries www.somesite.com <http://www.somesite.com>, I would view > that as being helpful. Given that it's something that many people rely > on, I'd be surprised if you got any traction for taking it out. I wasn't saying that, but that I think we might recommend that there be a way to turn off auto-complete, at which point the browser shouldn't be doing this stuff. (I'm not sure if there is or isn't for each of the various UAs.) In any case I'd think a .com extension is more potentially problematic than a www prefix, but if the user's bought into auto-complete, then let it happen. > Obviously I think the browser should first try somesite.com > <http://somesite.com>, and if that returns a result (either an A record > or a CNAME) that should be honored, but if not, it seems like it's in > the interest of the user for the browser to try www. Is that something that's not written down somewhere already? If it is, we're done. If not, should we do it? (Bit of a potential rat-hole is the only reason not to include it.) S. > > > -Ian > > On Tue, Mar 4, 2008 at 12:33 PM, <michael.mccormick@wellsfargo.com > <mailto:michael.mccormick@wellsfargo.com>> wrote: > > > I agree with you Stephen. > > Specifically I would say: "The user agent MUST NOT disambiguate the URL > host name when in Safe Browsing Mode, and SHOULD NOT do so in other > modes of operation" where host disambiguation is specifically defined to > mean "Try alternate host names such as 'www' when the input host name is > irresolvable via standard domain name services". > > Thanks, Mike > > > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie > <mailto:stephen.farrell@cs.tcd.ie>] > Sent: Tuesday, March 04, 2008 2:25 PM > To: McCormick, Mike > Cc: public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org> > Subject: Re: URL disambiguation > > > > michael.mccormick@wellsfargo.com > <mailto:michael.mccormick@wellsfargo.com> wrote: > > There are several possible scenarios, including: > > > > 1. tcd.ie <http://tcd.ie> and www.tcd.ie <http://www.tcd.ie> both > have A records 2. www.tcd.ie <http://www.tcd.ie> has an A > > record and tcd.ie <http://tcd.ie> has a CNAME record aliased to > it 3. only www.tcd.ie <http://www.tcd.ie> > > has a DNS record > > > > I was focused on scenario 3. I don't see scenarios 1 or 2 as > > requiring any URL disambiguation in the browser. > > > > In scenario 3 I believe there are some browsers that will send a user > > who enters "tcd.ie <http://tcd.ie>" to www.tcd.ie > <http://www.tcd.ie> instead of returning a Domain Does > > Not Exist error. This is the behavior that I feel W3C should > restrict > > > or at least standardize. > > Fair 'nuff. My take would be to tell the browsers not to mess about it > in that case, unless the user is in some kind of auto-complete mode that > they've agreed to, or can turn off. > > S. > > > > > I hope this clarifies my intent. > > > > Cheers, Mike > > > > -----Original Message----- > > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie > <mailto:stephen.farrell@cs.tcd.ie>] > > Sent: Tuesday, March 04, 2008 1:45 PM > > To: McCormick, Mike > > Cc: public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org> > > Subject: Re: URL disambiguation > > > > > > > > michael.mccormick@wellsfargo.com > <mailto:michael.mccormick@wellsfargo.com> wrote: > >> _http://no-www.org/_ <http://www.org/_> > >> _http://yes-www.org/_ <http://www.org/_> > >> > >> No doubt most of you are familiar with these web sites, and with the > >> arguments for and against requiring host names in URLs. > >> > >> Most browsers seem to make it a moot point by accepting both > forms of > > >> URL. > > > > Does the browser? Isn't that usually done via a CNAME in DNS or else > > by having two A records for the server? It'd be wrong for a > browser to > > > assume that the A record for tcd.ie <http://tcd.ie> and > www.tcd.ie <http://www.tcd.ie> need to be the > same. > > > > S. > > > > > If I type "example.com <http://example.com>" into my browser > it takes me to > >> _http://www.example.com_. The agent is letting me be lazy and skip > >> typing the protocol (_http://_) or hostname (_www._ <file://www.>) > >> portions of my destination address. > >> > >> The process of URL disambiguation, whereby the UA attempts to guess > >> parts of the address the user has omitted, should be > standardized for > > >> both security & experience reasons: > >> > >> [protocol://][host.][domain][.TLD][:port][/[path]][?query] > >> > >> - If protocol omitted, UA must try https before http. (Always > >> prefer > > > >> a TLS protected destination.) > >> > >> - If host omitted, and protocol is http(s), UA may try the host > name > > >> "www" in the target domain if it has a DNS record, unless the agent > >> is > > > >> in SBM mode. > >> > >> - etc. > >> > >> > >> *Michael McCormick, CISSP* > >> Lead Security Architect, Information Security Technologies Wells > >> Fargo > > > >> Bank "THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY > THOSE OF > > >> WELLS FARGO" > >> /This message may contain confidential and/or privileged > information. > > > >> If you are not the addressee or authorized to receive this for the > >> addressee, you must not use, copy, disclose, or take any action > based > > >> on this message or any information herein. If you have received > this > > >> message in error, please advise the sender immediately by reply > >> e-mail > > > >> and delete this message. Thank you for your cooperation./ > >> > > > > > > > > >
Received on Tuesday, 4 March 2008 22:41:45 UTC