Section 5.4.2 of RFC 3986 not actually 'legal' syntax

I image members of the TAG are no doubt aware of the following news event:

On December 31, 2004, Cuthbert, using an Apple laptop and Safari
browser, became concerned that a website collecting credit card
details for donations to the Tsunami appeal could be a phishing site.
After making a donation, and not seeing a final confirmation or
thank-you page, Cuthbert put ../../../ into the address line. If the
site had been unprotected this would have allowed him to move up three

>From <>

Will section 5.4.2 of RFC 3986 be amended to indicate that the
"../../../" syntax is no longer valid syntax, despite being explicitly
declared valid by the current RFC text? I was also wondering if any
other elements of Internet and WWW design will be delegated to the
British courts.

It's funny, and very much not so, all at the same time.


The web-calculus is the union of REST and capability-based security:

Name your trusted sites to distinguish them from phishing sites.

Received on Wednesday, 12 October 2005 06:13:11 UTC