Re: Adding user@ to HTTP[S] URIs

Daniel Stenberg <daniel@haxx.se> Mon, 27 January 2020 14:26 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB18F12004E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Jan 2020 06:26:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.651
X-Spam-Level:
X-Spam-Status: No, score=-2.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3YGfJt_qZh9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Jan 2020 06:26:30 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76D3D12006D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 27 Jan 2020 06:26:30 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iw5JJ-0003rp-5Z for ietf-http-wg-dist@listhub.w3.org; Mon, 27 Jan 2020 14:24:17 +0000
Resent-Date: Mon, 27 Jan 2020 14:24:17 +0000
Resent-Message-Id: <E1iw5JJ-0003rp-5Z@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <daniel@haxx.se>) id 1iw5JH-0003r3-I8 for ietf-http-wg@listhub.w3.org; Mon, 27 Jan 2020 14:24:15 +0000
Received: from www.haxx.se ([2a00:1a28:1200:9::2] helo=giant.haxx.se) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <daniel@haxx.se>) id 1iw5JF-0006Df-TM for ietf-http-wg@w3.org; Mon, 27 Jan 2020 14:24:15 +0000
Received: from giant.haxx.se (mail [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id 00REO8AD025344 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 27 Jan 2020 15:24:08 +0100
Received: from localhost (dast@localhost) by giant.haxx.se (8.15.2/8.15.2/Submit) with ESMTP id 00REO73s025336; Mon, 27 Jan 2020 15:24:07 +0100
X-Authentication-Warning: giant.haxx.se: dast owned process doing -bs
Date: Mon, 27 Jan 2020 15:24:07 +0100
From: Daniel Stenberg <daniel@haxx.se>
X-X-Sender: dast@giant.haxx.se
To: Rick van Rein <rick@openfortress.nl>
cc: James Fuller <jim@webcomposite.com>, Austin Wright <aaa@bzfx.net>, "HTTPbis WG (IETF)" <ietf-http-wg@w3.org>
In-Reply-To: <5E2EEB7C.9030100@openfortress.nl>
Message-ID: <alpine.DEB.2.20.2001271515570.18042@tvnag.unkk.fr>
References: <5E2B76EC.5000300@openfortress.nl> <BB50C7B7-3861-4054-AFB7-6F1C287AFEE6@gmail.com> <5E2C2039.7080303@openfortress.nl> <0bb7f153-57ea-7cb4-59e2-26ee2e41d928@treenet.co.nz> <5E2C4738.8010609@openfortress.nl> <alpine.DEB.2.20.2001251614520.15685@tvnag.unkk.fr> <5E2C65D7.7030408@openfortress.nl> <4859592D-1B93-49E0-9661-5E24FDAC276F@bzfx.net> <5E2D630A.604@openfortress.nl> <CAEaz5mtYyvei8wxb4_1H36N2PkrU+-47uqn2KtitqMtd9LRwsQ@mail.gmail.com> <5E2ED158.1030909@openfortress.nl> <alpine.DEB.2.20.2001271319120.18042@tvnag.unkk.fr> <5E2EEB7C.9030100@openfortress.nl>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
X-fromdanielhimself: yes
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Received-SPF: none client-ip=2a00:1a28:1200:9::2; envelope-from=daniel@haxx.se; helo=giant.haxx.se
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1iw5JF-0006Df-TM 9ccd8d06f6a79065186000ac8d8521f6
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Adding user@ to HTTP[S] URIs
Archived-At: <https://www.w3.org/mid/alpine.DEB.2.20.2001271515570.18042@tvnag.unkk.fr>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37303
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Mon, 27 Jan 2020, Rick van Rein wrote:

> How shocking would it be to current usage of the Basic pattern to use an 
> explicit, empty password?  Several other browsers use "foo:@localhost" for 
> Basic if they want to avoid popups.

I'm not suggesting that curl's way of treating this information is the golden 
standard or anything neither for URI parsing nor HTTP headers. I'm just 
providing datapoints showing this is a tough change. (curl has supported this 
URI style since 2003)

-- 

  / daniel.haxx.se