Changeset 1157


Ignore:
Timestamp:
Mar 9, 2011, 4:25:45 PM (8 years ago)
Author:
fielding@…
Message:

Discussion on list suggests that userinfo remains in common use
for configuration or command options, so it needs to be defined.
However, we can exclude it from being sent in messages.

Addresses #159

Location:
draft-ietf-httpbis/latest
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p1-messaging.html

    r1156 r1157  
    11341134         — it is only the authoritative interface used for mapping the namespace that is specific to TCP.
    11351135      </p>
    1136       <p id="rfc.section.2.6.1.p.7">The URI generic syntax for authority also includes a deprecated userinfo subcomponent (<a href="#RFC3986" id="rfc.xref.RFC3986.15"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, <a href="http://tools.ietf.org/html/rfc3986#section-3.2.1">Section 3.2.1</a>) for including user authentication information in the URI. The userinfo subcomponent (and its "@" delimiter) <em class="bcp14">MUST NOT</em> be used in an "http" URI. URI reference recipients <em class="bcp14">SHOULD</em> parse for the existence of userinfo and treat its presence as an error, likely indicating that the deprecated subcomponent
     1136      <p id="rfc.section.2.6.1.p.7">The URI generic syntax for authority also includes a deprecated userinfo subcomponent (<a href="#RFC3986" id="rfc.xref.RFC3986.15"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, <a href="http://tools.ietf.org/html/rfc3986#section-3.2.1">Section 3.2.1</a>) for including user authentication information in the URI. Some implementations make use of the userinfo component for internal
     1137         configuration of authentication information, such as within command invocation options, configuration files, or bookmark lists,
     1138         even though such usage might expose a user identifier or password. Senders <em class="bcp14">MUST NOT</em> include a userinfo subcomponent (and its "@" delimiter) when transmitting an "http" URI in a message. Recipients of HTTP messages
     1139         that contain a URI reference <em class="bcp14">SHOULD</em> parse for the existence of userinfo and treat its presence as an error, likely indicating that the deprecated subcomponent
    11371140         is being used to obscure the authority for the sake of phishing attacks.
    11381141      </p>
  • draft-ietf-httpbis/latest/p1-messaging.xml

    r1156 r1157  
    10571057   The URI generic syntax for authority also includes a deprecated
    10581058   userinfo subcomponent (<xref target="RFC3986" x:fmt="," x:sec="3.2.1"/>)
    1059    for including user authentication information in the URI.  The userinfo
    1060    subcomponent (and its "@" delimiter) &MUST-NOT; be used in an "http"
    1061    URI.  URI reference recipients &SHOULD; parse for the existence of
    1062    userinfo and treat its presence as an error, likely indicating that
    1063    the deprecated subcomponent is being used to obscure the authority
    1064    for the sake of phishing attacks.
     1059   for including user authentication information in the URI.  Some
     1060   implementations make use of the userinfo component for internal
     1061   configuration of authentication information, such as within command
     1062   invocation options, configuration files, or bookmark lists, even
     1063   though such usage might expose a user identifier or password.
     1064   Senders &MUST-NOT; include a userinfo subcomponent (and its "@"
     1065   delimiter) when transmitting an "http" URI in a message.  Recipients
     1066   of HTTP messages that contain a URI reference &SHOULD; parse for the
     1067   existence of userinfo and treat its presence as an error, likely
     1068   indicating that the deprecated subcomponent is being used to obscure
     1069   the authority for the sake of phishing attacks.
    10651070</t>
    10661071</section>
Note: See TracChangeset for help on using the changeset viewer.