userinfo allowed in http URI or not?

It looks from
http://lists.w3.org/Archives/Public/uri/
that this list is open to non-subscribers, so I try and send this message.

As you may know Microsoft is going to remove the userinfo from http URLs
for Internet Explroer, so that URIs like:

http://userinfo@host

won't work anymore.

While discussing that I and some others looked up what RFCs have to say
about it and the result is quite confusing.

Summary:

1738 says "not allowed":
3.3. HTTP:
http://<host>:<port>/<path>?<searchpart>
No user name or password is allowed

http://www.iana.org/assignments/uri-schemes says 2616 is relevant for http
URIs and not 1738 anymore
2616 refers to 2396 for http URIs

2396 says it merges/updates/revises/replaces 1738/1808 in respect to
scheme-specific URIs. It doesn't list userinfo for http. So, is 1738 still
relevant here?

2396bis
http://www.gbiv.com/protocols/uri/rev-2002/rfc2396bis.html
doesn't list userinfo in the BNF syntax, but it's mentioned as an example.

It's also deemed "not recommended" in general in most of the documents and
looking thru some of the documents and discussions you can find under the
various links at
http://www.w3.org/Addressing/
it seems like everyone thinks it's valid.

Well, is it a valid http URI or not? Why is there so much confusion in the
documents? Could you please add a definitive statement on userinfo in
2396bis and either add it explicitely to the BNF syntax or clearly state
it's invalid?

Thanks for any explanations :-)

Kai

--

Kai Sch舩zl, Berlin, Germany

Received on Sunday, 1 February 2004 23:32:22 UTC