Re: semantics of host field in http URI

I wrote:

> This implies that the meaning of http://www.w3.org/ might change
> depending on where it is interpreted, unless the HTTP spec requires the
> use of domain names, which it currently does not (because it depends on
> RFC-2396 for that requirement).

"Roy T. Fielding" <fielding@gbiv.com> replied:

> Which doesn't require globally-scoped FQDNs either.

True, but it does recommend them, and does provide a way to guarantee
that they are globally-scoped FQDNs:

    The rightmost domain label of a fully qualified domain name will
    never start with a digit, thus syntactically distinguishing domain
    names from IPv4 addresses, and may be followed by a single "." if
    it is necessary to distinguish between the complete domain name and
    any local domain.  To actually be "Uniform" as a resource locator, a
    URL hostname should be a fully qualified domain name.  In practice,
    however, the host component may be a local domain literal

> > Does the HTTP spec need to be updated to explicitly require domain
> > names?  Or is it intended to relax the semantics of http URIs and
> > allow http://www.w3.org/ to mean different things in different
> > places?
>
> www.w3.org already means different things in different places.

Then I'll ask the same question for "www.w3.org.".

The combination of RFC-2616 and RFC-2396 guarantees that
http://www.w3.org./ has one globally unique meaning, but the combination
of RFC-2616 and rfc2396bis allows it to mean different things in
different places (because in some places www.w3.org. might not be a
domain name at all, according to rfc2396bis).  Is that relaxation
intended, or does the HTTP spec need to be updated to require domain
names?

> All you need to demonstrate that fact is to create a subdomain prefix
> within your domain,
> e.g.,
> 
>    www.w3.org.example.com
> 
> place an HTTP server there and you will see that all of the requests
> to the above "http://www.w3.org/" from within the example.com network
> will go to the local domain instead.

This was true years ago, but RFC-1535 identified this problem and
suggested a countermeasure back in 1993, and I think most resolvers
today adhere to those suggestions.  I think today resolvers will look up
www.w3.org before trying www.w3.org.example.com, and any resolver that
tried them in the other order would be considered to have a security
bug.

AMC
http://www.nicemice.net/amc/

Received on Saturday, 28 August 2004 04:17:46 UTC