httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Malo ...@perlig.de>
Subject Re: Docs correction? re Auth
Date Wed, 11 Dec 2002 23:01:43 GMT
* Rodent of Unusual Size wrote:

> André Malo wrote:
>>
>> The problem is: Such an URL is illegal. It's explicitely
>> forbidden by RFC 1738 and RFC 2616.
> 
> rfc 1738 section 3.1 defines this as a valid syntax.  section

valid *generic* syntax, which will be restricted later, yes.

> 3.3 says it's not permitted in http: uris -- which is fine,
> since it is never(1) sent to the server.

That's not the point of failure. If I have a user interface, that allows 
such "extended URLs" to be typed in and converts them to HTTP headers - 
fine.

But <a href="..."> is defined to contain a valid URI (reference). In case 
of the http scheme, it may not contain any credentials. Otherwise the 
behaviour is simply undefined.

> the client always(1)
> decomposes it into a valid http: uri and an authorization:
> request header field.  therefore, modulo my previous message,
> this trick should(1) work for all semi-reasonable clients.
> 
> (1) i know of *no* clients that do not handle this as described,
> but it's possible there are some.  they would hardly be mainstream,
> in any case, and almost certainly batch clients rather than
> user-interfacine browsers.

as said before: I've tried this (some time ago, a year or so).
I configured a proxy in the browser(s) and in my tests the MSIE was the 
*only* client, which spreads the credentials around the world (401 or not) 
as headers.
Tested also: NN4, Lynx, Opera 5, wget and some others (win32). All of them 
sent the wrong uri to the proxy server (could see this in the proxy logs).

The next point is: browsers are not the only possible HTTP-Clients. If you 
think about, say DAV clients, the "logout" will become more undefined than 
ever. Especially if they are compliant to the particular RFCs.

nd
-- 
Wenn nur Ingenieure mit Diplom programmieren würden, hätten wir
wahrscheinlich weniger schlechte Software.
Wir hätten allerdings auch weniger gute Software.
                                   -- Felix von Leitner in dasr

Mime
View raw message