Reputation: 329
What are the exact semantics of the user name portion of an HTTP URL?
If I were designing an API or protocol that uses HTTP URLs and wanted to use the userinfo subcomponent to designate something other than the requester's user name, would that be in violation of the spec?
E.g. user agent authenticated as user '[email protected]' makes a request to http://[email protected]/stuff to access data controlled or pertaining to user 'b'.
Upvotes: 1
Views: 546
Answers (1)
Reputation: 329
RFC 3986 3.2.1 just says 'a user name' and not the client's user name:
The userinfo subcomponent may consist of a user name and, optionally, scheme-specific information about how to gain authorization to access the resource.
But RFC 7230 2.7.1 says
A sender MUST NOT generate the userinfo subcomponent (and its "@" delimiter) when an "http" URI reference is generated within a message as a request target or header field value. Before making use of an "http" URI reference received from an untrusted source, a recipient SHOULD parse for userinfo and treat its presence as an error;
Based on the above, it seems you can use the username component to mean what is wanted, but the server just can't respond with links/resource identifiers including a username.
After testing a link (E.g. <a href="[email protected]">link</a>) in Firefox, it will display a warning and then make the HTTP request without the username if you choose to continue.)
Upvotes: 1
Related Questions
- Does HTTP protocol facilitate for specification of URI(s) associated with an authentication realm?
- Authenticating HTTP request through URL
- What kind of URL is this?
- Http basic authentication mechanism
- HTTP/HTTPS basic authentication: colon in username
- How does http://user:[email protected] authentication work?
- What's the purpose of the Apache authentication directive AuthName?
- Can Basic HTTP authentication use a default username?
- Escaping username characters in basic auth URLs
- How does emacs url package handle authentication?