TOC |
|
Defacto standards have evolved that conflict with existing standards, specifically RFC 3986. This document clarifies the use of the "@" (at sign) in URIs and partial URI-like addresses.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”
This Internet-Draft will expire on February 1, 2011.
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
1.
Introduction
1.1.
Requirements Language
2.
Issues
3.
Conclusions
4.
Valid Syntax
5.
Invalid Syntax
6.
Examples
7.
IANA Considerations
8.
Security Considerations
9.
Normative References
§
Author's Address
TOC |
The original specification of the URI format is in RFC 3986 (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.) [RFC3986].
TOC |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.) [RFC2119].
TOC |
TOC |
TOC |
In RFC 3986 (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.) [RFC3986], the syntax of the authority component in a URI is defined as:
authority = [ userinfo "@" ] host [ ":" port ]
In addition, when the user is on a known host, on the same social network for example, the host and port components MAY be omitted:
authority = [ userinfo "@" ] [ host [ ":" port ] ]
When the host component is omitted, the userinfo component will be interpreted to be relative to the base URI of the current resource. For example:
+--------------------------------------------------+ | http://ExampleOnly.com/JaneSmith | |--------------------------------------------------| | JohnDoe@ I will meet you there in a short while. | |__________________________________________________|
will be interpreted as:
+-----------------------------------------------------------------+ | http://ExampleOnly.com/JaneSmith | |-----------------------------------------------------------------| | JohnDoe@ExampleOnly.com I will meet you there in a short while. | |_________________________________________________________________|
and (in HTML code):
+----------------------------------+ | http://ExampleOnly.com/JaneSmith | |----------------------------------| | <a href="/JohnDoe">JohnDoe@</a> | |__________________________________|
will be interpreted as:
+------------------------------------------------------------------+ | http://ExampleOnly.com/JaneSmith | |------------------------------------------------------------------| | <a href="http://ExampleOnly.com/JohnDoe">JohnDoe@ExampleOnly</a> | |__________________________________________________________________|
TOC |
In a component that may at some time be interpreted to be a URI by some system the "@" MUST NOT be placed prior to the userinfo component:
WRONG! [ "@" userinfo ]
The "@" SHOULD not be placed prior to the userinfo component even in areas of plain text due to the potential for altering users' perception of the correct placement of the "@" separator.
The "@" SHOULD NOT appear in an improper location in an HTML link:
WRONG! <a href="http://ExampleOnly.com/JohnDoe">@JohnDoe</a> <a href="http://ExampleOnly.com/JohnDoe">ExampleOnly.com@JohnDoe</a>
TOC |
Improper usage when user being replied to is on the same social network
+--------------------------------------------------+ | @JohnDoe I will meet you there in a short while. | |__________________________________________________|
WRONG! How would the host component be appended if the user was on a different network?
Figure 1 |
Standalone userinfo component when user being replied to is on the same social network
+--------------------------------------------------+ | JohnDoe@ I will meet you there in a short while. | |__________________________________________________|
This follows the current standard use of "@" in the authority component.
Figure 2 |
Fully-qualified authority component when the user being replied to can be on a different host
+-----------------------------------------------------------------+ | JohnDoe@ExampleOnly.com I will meet you there in a short while. | |_________________________________________________________________|
Appending the host component after the "@" results in syntax that conforms to the RFC 3986.
Figure 3 |
TOC |
This memo includes no request to IANA.
TOC |
A URI does not in itself pose a security threat. However, as URIs are often used to provide a compact set of instructions for access to network resources, care must be taken to properly interpret the data within a URI, to prevent that data from causing unintended access, and to avoid including data that should not be revealed in plain text.
However, placing an "@" in the wrong position, such as prior to the userinfo rather than following it, can introduce security risks, since the userinfo may be incorrectly interpreted or supplied to unauthorized systems. A defacto standard that places the "@" in the wrong location introduces additional security risks due to the increased likelihood that users will misplace the "@" as a result of the confusion.
TOC |
[RFC2119] | Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML). |
[RFC3986] | Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” STD 66, RFC 3986, January 2005 (TXT, HTML, XML). |
TOC |
Robert Simpson | |
Accilent Corp. | |
P.O. Box 601 | |
Lawrence, PA 15055 | |
US | |
Phone: | +1-412 337-3113 |
Email: | RobS.rfc5@MailScreen.com |