> the default behavior of Internet Explorer for handling user
> information in HTTP and HTTPS URLs.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q834489
>
> Basically, they're taking out the http://user:[EMAIL PROTECTED]
> format for automatically passing username and password to a
> secured site. This is their solution to getting around the
> domain spoofing bug.
Given that this new behavior complies with the HTTP RFC and the previous
behavior didn't, it sounds like a good solution to me!
RFC 1738 - Page 8
3.3. HTTP
The HTTP URL scheme is used to designate Internet resources
accessible using HTTP (HyperText Transfer Protocol).
The HTTP protocol is specified elsewhere. This specification only
describes the syntax of HTTP URLs.
An HTTP URL takes the form:
http://<host>:<port>/<path>?<searchpart>
where <host> and <port> are as described in Section 3.1. If :<port>
is omitted, the port defaults to 80. No user name or password is
allowed.
I don't think this has been superseded by any changes in RFC 2396, either.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
