Link-local IPv6 addresses in URIs

Kerry Lynn <> Mon, 14 November 2011 05:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CADA011E8184 for <>; Sun, 13 Nov 2011 21:41:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LQM8NNmIcYZk for <>; Sun, 13 Nov 2011 21:41:15 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id B78AA11E819D for <>; Sun, 13 Nov 2011 21:41:14 -0800 (PST)
Received: by eyg24 with SMTP id 24so5391591eyg.31 for <>; Sun, 13 Nov 2011 21:41:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=ovTexO8Q/Vnb8qc+61Q220VM+4bkYH23aSMqWDrTodw=; b=jsSJb8/7Xy32R9gRcpqb0/81AP0ilkTNL30g8hSJL6PBqo9guN8jWvoYpRnfNf92sz LCzjzxShxVK78NI3vCVgqNOmiDO3ZiSumGcRjiIf8JqOZ9lnDSMYQvt6X2tHPQgAcMP/ 2P+GWow7af2DJNMH6WY5QN//PzaxxX0P108Ug=
MIME-Version: 1.0
Received: by with SMTP id 66mr1539689eet.98.1321249272608; Sun, 13 Nov 2011 21:41:12 -0800 (PST)
Received: by with HTTP; Sun, 13 Nov 2011 21:41:12 -0800 (PST)
Date: Mon, 14 Nov 2011 00:41:12 -0500
Message-ID: <>
Subject: Link-local IPv6 addresses in URIs
From: Kerry Lynn <>
To: 6man <>
Content-Type: multipart/alternative; boundary="0016e646a4888db6ca04b1ab513a"
X-Mailman-Approved-At: Mon, 14 Nov 2011 00:41:50 -0800
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Nov 2011 05:41:16 -0000


I've noticed that a "bug" has re-appeared in Firefox:

In older versions of Firefox (e.g. 3.6.23) it is possible to enter URIs of
the form http://[fe80::206:98ff:fe00:232%tap0] in the
location bar and get a positive result.  This capability is quite handy in
simple testing scenarios and obviously requires the client and server
to be on a common link (so I don't necessarily see how it creates a
security risk.)

According to a note attached to the bug, the regression occurred as a
result of fixing a security bug:<>
504014 <>
I don't seem to have access to that bug, so I don't know the complete
rationale.  However, the note on 700999 says the title is "Enforce RFC
3986 syntax for IPv6 literals".  It goes on to say that RFC 3986
"disallows" interface specifiers (a.k.a. zone indices:

I don't see how a link-local address can be used in this context w/o
using a zone index.  Granted, RFC 3986 doesn't cover this case but
it also doesn't prohibit it.  This leads me to suspect it was an oversight,
so I'm wondering if RFC 3986 needs to be updated to cover it link-
local IPv6 literals?  If so, is there a reference that could be used to
derive the necessary ABNF?

Thanks, -K-