Re: How to set Http Request Header?
From: Mark Marcus (mark_at_agentnews.sales.xhome.us)
Date: 09/27/04
- Next message: Luca Paganelli: "Re: How do I use ObjectOutputStream with my objects?"
- Previous message: Tor Iver Wilhelmsen: "Re: grassfire algorithm in java"
- In reply to: Chris Uppal: "Re: How to set Http Request Header?"
- Next in thread: Chris Uppal: "Re: How to set Http Request Header?"
- Reply: Chris Uppal: "Re: How to set Http Request Header?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 27 Sep 2004 00:20:45 -0700
On Tue, 21 Sep 2004 08:57:46 +0100, "Chris Uppal"
<chris.uppal@metagnostic.REMOVE-THIS.org> wrote:
>Mark Marcus wrote:
>
>> Microsoft IE no longer accepts user:pw@.... formats anymore (as a
>> default). A user has to use REGEDIT to allow this format. It's yet
>> another example of how Microsoft doesn't know how to fix code, so they
>> break standards.
>
>While I'm no more impressed than anyone by MS's dismal record of security holes
>badly patched with security hacks, you are being overly harsh here. MS's
>standards-breaking error was that they accepted the user:pw@ notation in the
>first place, not that they later removed it.
>
>If you check RFC2616, section 3.2.2 you'll find that it does /not/ allow the @
>notation in an HTTP URL, specifically it gives the grammar as:
>
> http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
>
>It references RFC2396 (which does mention the @ syntax, but that's a much more
>general document than RFC2616) for the meaning of 'host', 'port' etc. If it
>were intended to allow the @ syntax, then it would use different terms from
>RFC2396; and might read:
>
> http_URL = "http:" "//" server [ abs_path [ "?" query ]]
>
>where (from 2396):
>
> server = [ [ userinfo "@" ] hostport ]
> hostport = host [ ":" port ]
>
Yes, it does reference 2396, it didn't obsolete it. 2396 _is_ the
standard for the URI. Section 3 of 2396 states that the syntax for a
URI is:
3. <scheme>://<authority><path>?<query>
3.2 authority = server | reg_name
3.2.2 server = [ [ userinfo "@" ] hostport ]
It is true that the RFC recommends against the use of the userinfo
data for the reasons you cite, but that doesn't justify the decision
not to support it. If the RFC intended it never to be supported, an
update would have been issued that would have removed it from the
syntax.
This last is the likely reason that non-IE browsers (still) support
the feature, while Microsoft does not. Microsoft admits that the
reason they stopped supporting the feature was because of a security
hole in IE. Rather than fix the security hole, they chose to not
support the feature. See:
http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
Mark Marcus
Protect Your Email Address and Make Money too!
http://www.xhome.org My Sales Code is 22819
- Next message: Luca Paganelli: "Re: How do I use ObjectOutputStream with my objects?"
- Previous message: Tor Iver Wilhelmsen: "Re: grassfire algorithm in java"
- In reply to: Chris Uppal: "Re: How to set Http Request Header?"
- Next in thread: Chris Uppal: "Re: How to set Http Request Header?"
- Reply: Chris Uppal: "Re: How to set Http Request Header?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
