- From: by way of Martin Duerst <maillists@conactive.com>
- Date: Mon, 02 Feb 2004 10:53:17 -0500
- To: uri@w3.org
> 2396 defines the generic syntax for all schemes, some of which include > userinfo as a valid option. It is not appropriate for it to say > anything > more than it already does, which is basically that it is not recommended > for any scheme. I see what you mean. However, it seems that all browser vendors just looked at 2396 and used the generic URI syntax for the http implementation, just ignoring what 1738 (not allowed) or 2616 (not mentioned => not allowed) say about userinfo. Especially in a case where all actual evidence (= browsers in use) is proof against an RFC one should clearly state if something is not allowed but in common use. I suggest adding something like this to 2396bis: Paragraph 3.2 Authority: Some schemes do not allow the userinfo and/or port sub-components. F.i. the http scheme does not allow userinfo at the time of this writing, although most user agents support it, for more information see [RFC 2616]. Simply because this invalid scheme syntax is the most prominent mistake done with scheme-specific URIs. If I look at the current 3.2 I see this paragraph: > Some schemes do not allow the userinfo and/or port sub-components. When presented with a URI > that violates one or more scheme-specific restrictions, the scheme-specific URI resolution > process should flag the reference as an error rather than ignore the unused parts; doing so > reduces the number of equivalent URIs and helps detect abuses of the generic syntax that might > indicate the URI has been constructed to mislead the user (section 7.5). > and in section 7.5 there is an invalid http URI mentioned as the only example and it also refers to the Siedzik document which talks a lot about these URIs, but does not mention in a single sub clause that it is invalid. All you (I) get from reading 3.2 and 7.5 is "it's not in the scheme but it seems to be be valid". If it is invalid one should not use it as an example. Instead it should be clearly stated that it is an *invalid* example, although in common use. Don't you think so? > > Getting implementers to understand that passive user security is more > important than backwards compatibility has proven to be difficult. > The spec has to draw a fine line between describing how existing > systems work and how they should work, particularly when the software > is revised faster than the specifications. > But I don't see how saying "it is not recommended" would help here. Surely a clear word "it is not allowed for the http scheme" makes much more impact (if at all). If you look at http://www.gbiv.com/protocols/uri/rev-2002/issues.html#029-decimal-IP you see that members of this list (who should know what is valid or not) assume it is valid. Kai -- Kai Sch糘zl, Berlin, Germany
Received on Monday, 2 February 2004 10:54:49 UTC