Bugtraq mailing list archives
Re: MS to stop allowing passwords in URLs
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 3 Feb 2004 11:32:12 +0100
On 2004-01-28 McAllister, Andrew wrote: [ MS about to invalidate usage of http://<user>:<pass>@<host> in IE ]
Anyone have any comments regarding legitimate uses of this syntax and Microsoft removing it from their browser? (and presumably the OS since the browser IS the OS).
There is no legitimate use of this syntax and never was. Although RFC 2396 does specify a generic URI syntax allowing <user>:<pass>@<host>:<port> it expressly excludes those URLs whose syntax is specified in RFC 1738: | This document updates and merges "Uniform Resource Locators" [RFC1738] | and "Relative Uniform Resource Locators" [RFC1808] in order to define | a single, generic syntax for all URI. It excludes those portions of | RFC 1738 that defined the specific syntax of individual URL schemes; | those portions will be updated as separate documents, as will the | process for registration of new URI schemes. RFC 1738 clearly says: | An HTTP URL takes the form: | | http://<host>:<port>/<path>?<searchpart> So do RFCs 1945 and 2616. Regards Ansgar Wiechers
Current thread:
- MS to stop allowing passwords in URLs McAllister, Andrew (Feb 02)
- RE: MS to stop allowing passwords in URLs Fergus Brooks (Feb 03)
- RE: MS to stop allowing passwords in URLs Joe Weisenberger (Feb 03)
- Re: MS to stop allowing passwords in URLs N407ER (Feb 03)
- Re: MS to stop allowing passwords in URLs Dave Warren (Feb 03)
- Re: MS to stop allowing passwords in URLs David B Harris (Feb 03)
- Re: MS to stop allowing passwords in URLs Östlund (Feb 04)
- Re: MS to stop allowing passwords in URLs Nick FitzGerald (Feb 06)
- Message not available
- Re: MS to stop allowing passwords in URLs Vinny Abello (Feb 03)
- RE: MS to stop allowing passwords in URLs Fergus Brooks (Feb 03)
- Re: MS to stop allowing passwords in URLs Ansgar -59cobalt- Wiechers (Feb 03)
- RE: MS to stop allowing passwords in URLs Andrew Harwood (Feb 03)
- Re: MS to stop allowing passwords in URLs 3APA3A (Feb 03)
- Re: MS to stop allowing passwords in URLs Dave McCormick (Feb 03)
- Re: MS to stop allowing passwords in URLs Nick FitzGerald (Feb 03)
- Re: MS to stop allowing passwords in URLs Sam Schinke (Feb 03)
- Message not available
- Re: MS to stop allowing passwords in URLs Paul Smith (Feb 03)
- RE: MS to stop allowing passwords in URLs Richard M. Smith (Feb 03)
- <Possible follow-ups>
- RE: MS to stop allowing passwords in URLs Francis Favorini (Feb 03)
- RE: MS to stop allowing passwords in URLs Thor Larholm (Feb 03)
- Re: MS to stop allowing passwords in URLs Sam Schinke (Feb 05)