Hi Jens, Okay, you made me look it up. :)
From: Jens Alfke <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Tuesday, February 11, 2014 1:36 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: HTTP Basic Auth On Feb 11, 2014, at 1:30 PM, Matt Ingenthron <[email protected]<mailto:[email protected]>> wrote: I'm not sure if it's relevant here, but while the username:password@ is relatively common and frequently does what you expect, it actually is not part HTTP standards. It's defined in <http://www.ietf.org/rfc/rfc1738.txt> RFC 1738<http://www.ietf.org/rfc/rfc1738.txt>: Uniform Resource Locators, the specification of URL syntax: RFC 2396 (which hails from 1998, where RFC 1738 seems to be from 1994, when most people hadn't yet used a URI) states: 3.2.2. Server-based Naming Authority URL schemes that involve the direct use of an IP-based protocol to a specified server on the Internet use a common syntax for the server component of the URI's scheme-specific data: <userinfo>@<host>:<port> where <userinfo> may consist of a user name and, optionally, scheme- specific information about how to gain authorization to access the server. The parts "<userinfo>@" and ":<port>" may be omitted. server = [ [ userinfo "@" ] hostport ] The user information, if present, is followed by a commercial at-sign "@". userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," ) Some URL schemes use the format "user:password" in the userinfo field. This practice is NOT RECOMMENDED, because the passing of authentication information in clear text (such as URI) has proven to be a security risk in almost every case where it has been used. And if you don't consider the newer-ness important, the trump card in this case is this in RFC 2396: This document updates and merges "Uniform Resource Locators" [RFC1738] and "Relative Uniform Resource Locators" [RFC1808] in order to define a single, generic syntax for all URI. Just because CouchDB does it, doesn't mean it's correct. I had this discussion with some of the CouchDB folks back in 2010 and it was acknowledged as an unfortunate choice in the face of what was an assumed standard. I spoke up because I thought it might be relevant to be aware of the distinction. I know you know that just because CouchDB does it doesn't mean it's correct, since you've been awesome about documenting behavior and implementing questionable ideas for code compatibility. I'm saying that something in between may be listening to 1998 URIs instead of 1994 URIs, stripping off the :password and sticking it in an authorization header for HTTP Basic auth. IIRC, one version of Firefox did exactly that. I don't have a reference for that one though, just seat-of-the-pants experience. Thanks, Matt -- Matt Ingenthron Couchbase, Inc. -- You received this message because you are subscribed to the Google Groups "Couchbase Mobile" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/CF1FEBFA.DCE46%25matt%40couchbase.com. For more options, visit https://groups.google.com/groups/opt_out.
