Usernames in the http_URL

Eric Wong normalperson at
Sat Dec 19 05:04:52 EST 2009

John-Paul Bader <hukl at> wrote:
> Hey guys,
> I think the <resource_type>://<username>:<password>@<host>/<path>
> scheme is not "illegal". There are examples of this in the URL RFC,
> just no explicit HTTP example.
> This probably a vague area. Its not in the http rfc and its not
> explicitly mentioned in the http auth rfc either but in combination
> with the URL RFC there is at least room for it. I haven't found the
> paragraph yet which says: no username:password stuff allowed in http
> urls. But I was just searching through these things … there are good
> chances I missed it.


Yes, I've come to the same conclusion.  rfc2616 just seems to defer
to rfc2396 (which superceded rfc1738 and is superceded by rfc3986).

> Anyway, I came across such urls a lot. Often I use them for giving
> people easy access to an otherwise basic authed resource - in  a chat
> conversation for example. I know apache and nginx support this - IIS
> does not. 
> Hrm - tough call ;)

Yup, definitely precedence for supporting it (along with Mongrel).  I've
updated the Ragel parser with everything URI.parse("http://..") supports
and pushed out the change.

I've been meaning to make a few more small documentation updates and do
a 0.95.3 release tomorrow when I'm more awake.

Eric Wong

More information about the mongrel-unicorn mailing list