servlet icon indicating copy to clipboard operation
servlet copied to clipboard
verified publisher icon jakartaee

What to do about userinfo in URLs?

Open glassfishrobot opened this issue 11 years ago • 6 comments

RFC 7230 section 2.7.1 http uri scheme states:

Before making use of an "http" URI reference received from an untrusted source, a recipient SHOULD parse for userinfo and treat its presence as an error; it is likely being used to obscure the authority for the sake of phishing attacks.

Now, granted, it's only a SHOULD, but I wonder if we need to heed this in Servlet?

glassfishrobot avatar Aug 01 '14 22:08 glassfishrobot

  • Issue Imported From: https://github.com/javaee/servlet-spec/issues/101
  • Original Issue Raised By:@glassfishrobot
  • Original Issue Assigned To: @glassfishrobot

glassfishrobot avatar Jun 06 '18 07:06 glassfishrobot

@glassfishrobot Commented Reported by @edburns

glassfishrobot avatar Aug 01 '14 22:08 glassfishrobot

@glassfishrobot Commented markt_asf said: Given that the definition of "an untrusted source" is going to vary significantly on a case by case basis, I'd lean towards leaving this one to container specific configuration.

glassfishrobot avatar Jan 23 '17 20:01 glassfishrobot

@glassfishrobot Commented This issue was imported from java.net JIRA SERVLET_SPEC-101

glassfishrobot avatar Apr 26 '17 06:04 glassfishrobot

I am +1 for closing this. I don't think the Servlet spec should be dealing with protocol level details, that is what the RFC's are for. Given that this is already specified in the RFC that the container is implementing I don't think we need to re-specify it.

stuartwdouglas avatar Sep 13 '20 00:09 stuartwdouglas

+1 for closing

markt-asf avatar Sep 14 '20 10:09 markt-asf