Microsoft To Remove Support For http(s) auth URLs
damohasi writes "According to Microsoft Knowledge Base, MS "plans to release a software update that removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer". Whether this will break rfc 1738 or not, it might get webspace provider in trouble who offer @-domains like the German 1und1."
...note that slashdot doesn't allow them either, and for similar reasons. :)
http://goatse.cx%01%00@microsoft.com/ <-- I wonder why?
pb Reply or e-mail; don't vaguely moderate.
The reason they are doing this is due to the security hole that was found in IE recently.
Instead of fixing the bug that is causing they security hole they remove the feature. How stupid and dumb is that? It is more-or-less saying, "We have got no idea how to program and cannt make enough sense of our own code to fix a security issue."
(\(\
(^.^)
(")")
*This is the cute bunny virus, please copy this into your sig so it can spread
I'm not sure that's correct. The browser relies on the inet dlls to make connections - and they will be the bits that are changed. (ie. the edit field in the browser will not parse the text, it'll pass it on to the comms subsystem).
.. best get rid of it now (and not get hit with a similar exploit).
If MS alters the inet dlls then, all http communications will be affected by the change, and so the server will never see any packets even if you connect via scripts. (which is a good thing, you don't want a vbs script to auto-open hackers.com@www.ebay.com)
I think its only a matter of time before the other browsers fix their systems to work in the same way - the feature is not standards compliant, so
This "solution" still sucks, there are good reasons to use such URLs, and for many of them, you explicitly do not want a popup. The 1und1 "@-domains" are not one of those however, these idiots deserve to suffer (and the morons who paid for this... well, a fool and his money...)
Programming can be fun again. Film at 11.
No, you are incorrect.
the URL standad allows for a username and password, but it is not required. However, the HTTP and HTTPS section of the URL standard specifically disallow the use of a username and password
URL RFC
read section 3 : (some of the text below is garbled, because I dont feel like escaping out all the > and < in the text below, however that does not change the important bits.)
3.3 HTTP
The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol).
The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs.
An HTTP URL takes the form:
http://>:/?
where and are as described in Section 3.1. If : is omitted, the port defaults to 80. No user name or password is allowed. is an HTTP selector, and is a query string. The is optional, as is the and its preceding "?". If neither nor is present, the "/" may also be omitted.
Within the and components, "/", ";", "?" are reserved. The "/" character may be used within HTTP to designate a hierarchical structure.
Just to play devil's advocate, let's suppose I were a Microsoft programmer, considering the following two options:
Keep in mind that in order to justify my choice to upper management, I must prove that it generates the most profit for the least investment.
Hmm.......
The Web is like Usenet, but
the elephants are untrained.