Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft To Remove Support For http(s) auth URLs

Posted by timothy on from the was-sonst dept.

damohasi writes "According to Microsoft Knowledge Base, MS "plans to release a software update that removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer". Whether this will break rfc 1738 or not, it might get webspace provider in trouble who offer @-domains like the German 1und1."

2 of 79 comments (clear)

  1. Re:Of Course... by drnlm · · Score: 5, Informative
    To quote the RFC:

    An HTTP URL takes the form:
    http://<host>:<port>/<path>? <searchpart>
    where <host> and <port> are as described in Section 3.1. If :<port> is omitted, the port defaults to 80. No user name or password is allowed.

    The allowing of username, password in http urls is a convention, but is certainly not the standard. If Microsoft does this, they'll actually be able to claim that IE is more standards-compliant than other browsers that allow the syntax.

    Whether allowing this syntax is a good or bad idea is a completely different debate (and slashdot is arguably the wrong forum to discuss it :) ).

  2. Re:Of Course... by EvilJohn · · Score: 3, Informative
    and to Continue Quoting the RFC:
    3.1. Common Internet Scheme Syntax While the syntax for the rest of the URL may vary depending on the particular scheme selected, URL schemes that involve the direct use of an IP-based protocol to a specified host on the Internet use a common syntax for the scheme-specific data:
    //<user>:<password>@<host>:<port>/<url-path>
    ...and so on. The RFC seems to allow indicate this indeed is a valid URL contruction.
    --

    Less Talk, More Beer.