Re: [apps-discuss] RFC6454 "the web origin concept" obsoleted?

John C Klensin <> Mon, 18 July 2016 22:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 39AE712DB33 for <>; Mon, 18 Jul 2016 15:04:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sVRUfFAjbdOs for <>; Mon, 18 Jul 2016 15:04:04 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6093B12DB25 for <>; Mon, 18 Jul 2016 15:04:04 -0700 (PDT)
Received: from [] (helo=JcK-HP8200) by with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <>) id 1bPGdl-0009E3-W6; Mon, 18 Jul 2016 18:03:53 -0400
Date: Mon, 18 Jul 2016 18:03:48 -0400
From: John C Klensin <>
To: Daniel Stenberg <>
Message-ID: <65E4055212E7B71DAAAB6FF9@JcK-HP8200>
In-Reply-To: <>
References: <> <>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Archived-At: <>
Subject: Re: [apps-discuss] RFC6454 "the web origin concept" obsoleted?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Jul 2016 22:04:06 -0000


One, possibly-useful addition to what Daniel has written below.
According to RFC 3986, but completely ignored or rejected by the
WHATWG URL spec, one of the reasons the terminology was switched
to focus on the term "URI" is that there are URIs that are not
URLs or even "locators" but "names".  In retrospect, that switch
might have been a mistake but it affects today's reality.  In
particular, the most important name-type URIs are URNs (or,
because there is even more confusion, more precisely URIs of
scheme "urn:").  URNs of that variety (specified by RFC 2141)
never use "://", a typical one might look like
"urn:ietf:rfc:3986" or "urn:issn:2070-1721".

Independent of the [URL] document, many people have argued
strongly that, for example, the piece of HTML that allows URLs
in <a> elements is required to accept [generalized] URIs (not
just HTTP and HTTPS URLs) and process them in some way, making
the above distinctions either important or troublesome,
depending on how one looks at the issue.  "Argued strongly" is
not intended as any disrespect -- it is hard to read the HTML
specs in any other way.

The URNBIS WG is in the process of updating RFC 2141 and some
related specs to allow more capabilities and to better reflect
contemporary practice and requirements.  I'd recommend its
mailing list, discussions, and documents to anyone interested in
seeing another direction for where these discussions lead.


--On Monday, July 18, 2016 23:00 +0200 Daniel Stenberg
<> wrote:

> On Mon, 18 Jul 2016, wrote:
>> * Are the changes to RFC3986 & RFC3987 evidenced in [URL]
>> widely applicable  to all URL-utilizing specs and if so, do
>> we obsolete them and point to  [URL], or backport the changes
>> to RFC3986bis & RFC3987bis? Or do something  else, or do
>> nothing?
> The [URL] spec is mostly followed by browsers while the rest
> of the URL parsing world is all over the place but very few
> non-browsers implement the [URL] spec and instead do various
> mixes of what the RFCs say and the browsers do. I blogged
> about this exact issue a short while ago [1] after having
> realized the [URL] spec says eight thousand slashes in a HTTP
> URL is fine and should be parsed.
> I personally am not a fan of neither the [URL] spec style (I
> find it very hard to read), how it is being written or what it
> says a URL can look like. But I know I get a lot of objections
> and "web compatibility" arguments thrown at me when I say so...
> So the RFCs are currently lacking a lot when it comes to
> parsing modern URLs, but the [URL] spec is not even trying to
> make a spec for an entire web infrastructure so it isn't a
> generic solution either. I don't have a good answer for where
> we should go from here.
> [1] =