Changeset 2582

Timestamp:

26/01/14 02:04:21 (7 years ago)

Author:

fielding@…

Message:

(design) Strengthen advice on userinfo handling of untrusted URIs to a SHOULD; addresses #531

Location:

draft-ietf-httpbis/latest

Files:

• p1-messaging.html (modified) (1 diff)
• p1-messaging.xml (modified) (1 diff)

draft-ietf-httpbis/latest/p1-messaging.html

@@ -1125 +1125 @@
                   configuration of authentication information, such as within command invocation options, configuration files, or bookmark lists,
                   even though such usage might expose a user identifier or password. A sender <em class="bcp14">MUST NOT</em> generate the userinfo subcomponent (and its "@" delimiter) when an "http" URI reference is generated within a message as a
-                  request target or header field value. Before making use of an "http" URI reference received from an untrusted source, a recipient
-                  ought to parse for userinfo and treat its presence as an error; it is likely being used to obscure the authority for the sake
-                  of phishing attacks.
+                  request target or header field value. Before making use of an "http" URI reference received from an untrusted source, a recipient <em class="bcp14">SHOULD</em> parse for userinfo and treat its presence as an error; it is likely being used to obscure the authority for the sake of phishing
+                  attacks.
                </p>
             </div>

draft-ietf-httpbis/latest/p1-messaging.xml

@@ -929 +929 @@
    request target or header field value.
    Before making use of an "http" URI reference received from an untrusted
-   source, a recipient ought to parse for userinfo and treat its presence as
+   source, a recipient &SHOULD; parse for userinfo and treat its presence as
    an error; it is likely being used to obscure the authority for the sake of
    phishing attacks.