Usernames in the http_URL
normalperson at yhbt.net
Sat Dec 19 05:04:52 EST 2009
John-Paul Bader <hukl at berlin.ccc.de> wrote:
> Hey guys,
> I think the <resource_type>://<username>:<password>@<host>/<path>
> scheme is not "illegal". There are examples of this in the URL RFC,
> just no explicit HTTP example.
> This probably a vague area. Its not in the http rfc and its not
> explicitly mentioned in the http auth rfc either but in combination
> with the URL RFC there is at least room for it. I haven't found the
> paragraph yet which says: no username:password stuff allowed in http
> urls. But I was just searching through these things … there are good
> chances I missed it.
Yes, I've come to the same conclusion. rfc2616 just seems to defer
to rfc2396 (which superceded rfc1738 and is superceded by rfc3986).
> Anyway, I came across such urls a lot. Often I use them for giving
> people easy access to an otherwise basic authed resource - in a chat
> conversation for example. I know apache and nginx support this - IIS
> does not.
> Hrm - tough call ;)
Yup, definitely precedence for supporting it (along with Mongrel). I've
updated the Ragel parser with everything URI.parse("http://..") supports
and pushed out the change.
I've been meaning to make a few more small documentation updates and do
a 0.95.3 release tomorrow when I'm more awake.
More information about the mongrel-unicorn