|
Bugtraq
mailing list archives
Re: MS to stop allowing passwords in URLs
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 3 Feb 2004 11:32:12 +0100
On 2004-01-28 McAllister, Andrew wrote:
[ MS about to invalidate usage of http://<user>:<pass>@<host> in IE ]
Anyone have any comments regarding legitimate uses of this syntax and
Microsoft removing it from their browser? (and presumably the OS since
the browser IS the OS).
There is no legitimate use of this syntax and never was. Although
RFC 2396 does specify a generic URI syntax allowing
<user>:<pass>@<host>:<port>
it expressly excludes those URLs whose syntax is specified in RFC 1738:
| This document updates and merges "Uniform Resource Locators" [RFC1738]
| and "Relative Uniform Resource Locators" [RFC1808] in order to define
| a single, generic syntax for all URI. It excludes those portions of
| RFC 1738 that defined the specific syntax of individual URL schemes;
| those portions will be updated as separate documents, as will the
| process for registration of new URI schemes.
RFC 1738 clearly says:
| An HTTP URL takes the form:
|
| http://<host>:<port>/<path>?<searchpart>
So do RFCs 1945 and 2616.
Regards
Ansgar Wiechers
 By Date 
By Thread
Current thread:
- Re: MS to stop allowing passwords in URLs, (continued)
| 
Intro
