RFR: 8029354: URLPermission.<init> throws llegalArgumentException: Invalid characters in hostname
Michael McMahon
michael.x.mcmahon at oracle.com
Mon Dec 2 04:34:59 PST 2013
On 02/12/13 12:17, Weijun Wang wrote:
>
>
> On 12/2/13, 19:00, Michael McMahon wrote:
>> It looks like userinfo is not permitted in http URLs anyway (in rfc
>> 2616). And even if clients
>> are permissive about allowing it, any userinfo would most likely not be
>> seen by a server
>> since the request URI only contains the path component of the
>> original URI.
>
> Of course not, password should no be sent to the server in this way.
> My understanding is that it will be used by the browser when server
> requests for authentication.
>
Browsers seem to discourage this usage: IE doesn't allow it at all.
Firefox helpfully asks
if you are sure about it, in case of URLs like
http:://where.you.think.you.are.going at bad.place/
Michael
> --Max
>
>>
>> I need to look at the bug report, to see how this situation arose in the
>> first place.
>>
>> Michael
>>
>> On 02/12/13 10:41, Weijun Wang wrote:
>>> Is it possible to just ignore the userinfo part? I wonder if people
>>> will complain why "user:pass" is not the same as "user".
>>>
>>> --Max
>>>
>>> On 12/2/13, 18:00, Michael McMahon wrote:
>>>>> This means http://example.com does not imply
>>>>> http://someone@example.com. Is this intended?
>>>
>>>>>> http://cr.openjdk.java.net/~michaelm/8029354/webrev.1/
>>
More information about the net-dev
mailing list