Usernames in the http_URL

Eric Wong normalperson at yhbt.net
Sat Dec 19 05:04:52 EST 2009


John-Paul Bader <hukl at berlin.ccc.de> wrote:
> Hey guys,
> 
> I think the <resource_type>://<username>:<password>@<host>/<path>
> scheme is not "illegal". There are examples of this in the URL RFC,
> just no explicit HTTP example.
> 
> This probably a vague area. Its not in the http rfc and its not
> explicitly mentioned in the http auth rfc either but in combination
> with the URL RFC there is at least room for it. I haven't found the
> paragraph yet which says: no username:password stuff allowed in http
> urls. But I was just searching through these things … there are good
> chances I missed it.

Hi,

Yes, I've come to the same conclusion.  rfc2616 just seems to defer
to rfc2396 (which superceded rfc1738 and is superceded by rfc3986).

> http://en.wikipedia.org/wiki/URI_scheme
> http://tools.ietf.org/html/rfc2617
> http://www.ietf.org/rfc/rfc1738.txt
> 
> Anyway, I came across such urls a lot. Often I use them for giving
> people easy access to an otherwise basic authed resource - in  a chat
> conversation for example. I know apache and nginx support this - IIS
> does not. 
> 
> Hrm - tough call ;)

Yup, definitely precedence for supporting it (along with Mongrel).  I've
updated the Ragel parser with everything URI.parse("http://..") supports
and pushed out the change.

I've been meaning to make a few more small documentation updates and do
a 0.95.3 release tomorrow when I'm more awake.

-- 
Eric Wong


More information about the mongrel-unicorn mailing list