authority's userinfo?

Thomas Karpiniec tkarpiniec at icloud.com
Thu Jun 11 10:58:45 BST 2020

Previous message (by thread): authority's userinfo?
Next message (by thread): authority's userinfo?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jun 11, 2020 at 09:02:54AM +0000, solderpunk wrote:
> But if it's legitimate for me to declare that the gemini:// URI scheme
> does not support userinfo, I'll do it in a flash.  This cookie redirect
> thought experiment proves that it's far too dangerous, it's just barely
> better than an actual HTTP cookie (in that it's not easily sent to third
> parties).

By my reading of RFC 3986 (s3.2) you explicitly have that right:

"Some schemes do not allow the userinfo and/or port subcomponents."

> Of course, just saying it's unsupported isn't enough, because servers
> can try to do it anyway, so every client now needs to explicitly check
> for this and either error out or remove the userinfo.

In my experience, an advanced client requires a certain amount of URL
munging anyway (at least if you want to pass Sean's test suite).
Saying that a client SHOULD remove any userinfo component before
initiating a request is not an undue burden. But at the same time it's
clearly not required for a minimally functional client.

Cheers, Tom

Previous message (by thread): authority's userinfo?
Next message (by thread): authority's userinfo?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list