Re: MS announces change in IE behavior

• Previous message: Russ: "Re: MS announces change in IE behavior"
• In reply to: Russ: "Re: MS announces change in IE behavior"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Thu, 29 Jan 2004 00:45:46 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

>No doubt some who will cry foul, "Hey, you're breaking the RFC",

Not at all, the RFC specification says that http authentication is not
allowed in a http url, it is allowed in a generic URI but not for HTTP urls,
this is an exception!
RFC 1738 - Page 8

3.3. HTTP

   The HTTP URL scheme is used to designate Internet resources
   accessible using HTTP (HyperText Transfer Protocol).

   The HTTP protocol is specified elsewhere. This specification only
   describes the syntax of HTTP URLs.

   An HTTP URL takes the form:

      http://>:<port>/<path>?<searchpart>

   where <host> and <port> are as described in Section 3.1. If :<port>
   is omitted, the port defaults to 80. No user name or password is
   allowed.

So, Microsoft is in fact sticking to the RFC this time, something they
should have done long time ago. I have been blocking this "http
authentication" in every mail I received on my domain for over a year, but
when I saw the IE url obfuscation issue a few weeks back, I was amased that
nobody knew this, so I thought I was wrong and that's why I didn't reply.
Microsoft still gets a "D" from me for this big mess!

Regards,
Parcifal Aertssen
AQTRONIX
http://www.aqtronix.com/

-----
NTBugtraq Editor's Note:

I'm looking for an event at which I can speak in Australia, specifically near Brisbane, as close to Christmas as possible. Anyone interested in flying me down under at that time, please contact me at Russ.Cooper@rc.on.ca
-----

• Previous message: Russ: "Re: MS announces change in IE behavior"
• In reply to: Russ: "Re: MS announces change in IE behavior"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]