httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Malo>
Subject Re: Docs correction? re Auth
Date Wed, 11 Dec 2002 23:01:43 GMT
* Rodent of Unusual Size wrote:

> André Malo wrote:
>> The problem is: Such an URL is illegal. It's explicitely
>> forbidden by RFC 1738 and RFC 2616.
> rfc 1738 section 3.1 defines this as a valid syntax.  section

valid *generic* syntax, which will be restricted later, yes.

> 3.3 says it's not permitted in http: uris -- which is fine,
> since it is never(1) sent to the server.

That's not the point of failure. If I have a user interface, that allows 
such "extended URLs" to be typed in and converts them to HTTP headers - 

But <a href="..."> is defined to contain a valid URI (reference). In case 
of the http scheme, it may not contain any credentials. Otherwise the 
behaviour is simply undefined.

> the client always(1)
> decomposes it into a valid http: uri and an authorization:
> request header field.  therefore, modulo my previous message,
> this trick should(1) work for all semi-reasonable clients.
> (1) i know of *no* clients that do not handle this as described,
> but it's possible there are some.  they would hardly be mainstream,
> in any case, and almost certainly batch clients rather than
> user-interfacine browsers.

as said before: I've tried this (some time ago, a year or so).
I configured a proxy in the browser(s) and in my tests the MSIE was the 
*only* client, which spreads the credentials around the world (401 or not) 
as headers.
Tested also: NN4, Lynx, Opera 5, wget and some others (win32). All of them 
sent the wrong uri to the proxy server (could see this in the proxy logs).

The next point is: browsers are not the only possible HTTP-Clients. If you 
think about, say DAV clients, the "logout" will become more undefined than 
ever. Especially if they are compliant to the particular RFCs.

Wenn nur Ingenieure mit Diplom programmieren würden, hätten wir
wahrscheinlich weniger schlechte Software.
Wir hätten allerdings auch weniger gute Software.
                                   -- Felix von Leitner in dasr

View raw message