W3C home > Mailing lists > Public > uri@w3.org > February 2004

Re: userinfo%20allowed%20in%20http%20URI%20or%20not

From: by way of Martin Duerst <maillists@conactive.com>
Date: Mon, 02 Feb 2004 10:53:17 -0500
Message-Id: <>
To: uri@w3.org

 > 2396 defines the generic syntax for all schemes, some of which include
 > userinfo as a valid option.  It is not appropriate for it to say
 > anything
 > more than it already does, which is basically that it is not recommended
 > for any scheme.

I see what you mean. However, it seems that all browser vendors just looked 
at 2396
and used the generic URI syntax for the http implementation, just ignoring 
what 1738
(not allowed) or 2616 (not mentioned => not allowed) say about userinfo. 
in a case where all actual evidence (= browsers in use) is proof against an 
RFC one
should clearly state if something is not allowed but in common use.
I suggest adding something like this to 2396bis:

Paragraph 3.2 Authority:
Some schemes do not allow the userinfo and/or port sub-components. F.i. the 
http scheme does
not allow userinfo at the time of this writing, although most user agents 
support it, for more
information see [RFC 2616].

Simply because this invalid scheme syntax is the most prominent mistake 
done with scheme-specific

If I look at the current 3.2 I see this paragraph:
 > Some schemes do not allow the userinfo and/or port sub-components. When 
presented with a URI
 > that violates one or more scheme-specific restrictions, the 
scheme-specific URI resolution
 > process should flag the reference as an error rather than ignore the 
unused parts; doing so
 > reduces the number of equivalent URIs and helps detect abuses of the 
generic syntax that might
 > indicate the URI has been constructed to mislead the user (section 7.5).

and in section 7.5 there is an invalid http URI mentioned as the only 
example and it also refers
to the Siedzik document which talks a lot about these URIs, but does not 
mention in a single
sub clause that it is invalid. All you (I) get from reading 3.2 and 7.5 is 
"it's not in
the scheme but it seems to be be valid". If it is invalid one should not 
use it as an example.
Instead it should be clearly stated that it is an *invalid* example, 
although in common use.
Don't you think so?

 > Getting implementers to understand that passive user security is more
 > important than backwards compatibility has proven to be difficult.
 > The spec has to draw a fine line between describing how existing
 > systems work and how they should work, particularly when the software
 > is revised faster than the specifications.

But I don't see how saying "it is not recommended" would help here. Surely 
a clear word
"it is not allowed for the http scheme" makes much more impact (if at all).

If you look at
you see that members of this list (who should know what is valid or not) 
assume it is valid.


Kai Sch糘zl, Berlin, Germany
Received on Monday, 2 February 2004 10:54:49 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:07 UTC