Changeset 2582


Ignore:
Timestamp:
26/01/14 02:04:21 (6 years ago)
Author:
fielding@…
Message:

(design) Strengthen advice on userinfo handling of untrusted URIs to a SHOULD; addresses #531

Location:
draft-ietf-httpbis/latest
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p1-messaging.html

    r2581 r2582  
    11251125                  configuration of authentication information, such as within command invocation options, configuration files, or bookmark lists,
    11261126                  even though such usage might expose a user identifier or password. A sender <em class="bcp14">MUST NOT</em> generate the userinfo subcomponent (and its "@" delimiter) when an "http" URI reference is generated within a message as a
    1127                   request target or header field value. Before making use of an "http" URI reference received from an untrusted source, a recipient
    1128                   ought to parse for userinfo and treat its presence as an error; it is likely being used to obscure the authority for the sake
    1129                   of phishing attacks.
     1127                  request target or header field value. Before making use of an "http" URI reference received from an untrusted source, a recipient <em class="bcp14">SHOULD</em> parse for userinfo and treat its presence as an error; it is likely being used to obscure the authority for the sake of phishing
     1128                  attacks.
    11301129               </p>
    11311130            </div>
  • draft-ietf-httpbis/latest/p1-messaging.xml

    r2581 r2582  
    929929   request target or header field value.
    930930   Before making use of an "http" URI reference received from an untrusted
    931    source, a recipient ought to parse for userinfo and treat its presence as
     931   source, a recipient &SHOULD; parse for userinfo and treat its presence as
    932932   an error; it is likely being used to obscure the authority for the sake of
    933933   phishing attacks.
Note: See TracChangeset for help on using the changeset viewer.