We're starting to take complaints from folks who have installed the
latest IE patch about various broken website functionality. The
complaints are not related to folks trying to use the username:password@
functionality that was removed by the patch.
Is anyone taking similar calls / seeing
Yes. From MS: (a registry-based fix is detailed in the KB article)
This Internet Explorer cumulative update also includes a change to the
functionality of a Basic Authentication feature in Internet Explorer.
The update removes support for handling user names and passwords in HTTP
and HTTP with
Yes they broke basic auth in a URL.
I am uncertain as to why it was necessary to remove this functionality.
Bryan
- Original Message -
From: Herman Harless [EMAIL PROTECTED]
To: nanog [EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 11:26 AM
Subject: Latest IE patch breaking non
Herman Harless [2/3/2004 10:56 PM] :
We're starting to take complaints from folks who have installed the
latest IE patch about various broken website functionality. The
complaints are not related to folks trying to use the username:password@
functionality that was removed by the patch.
Is anyone
--On Tuesday, February 03, 2004 11:34 AM -0600 Bryan Heitman
[EMAIL PROTECTED] wrote:
Yes they broke basic auth in a URL.
I am uncertain as to why it was necessary to remove this functionality.
My guess is that too many people were getting burned by URLs like this:
http://[EMAIL PROTECTED]
Yes they broke basic auth in a URL.
I am uncertain as to why it was necessary to remove this functionality.
Bryan
Apparently, there were ways to use this to make one URL look like the URL
of another site. According to Microsoft, it isn't just
'[EMAIL PROTECTED]/foo', but there were
On Tue, 3 Feb 2004, Jeff Workman wrote:
My guess is that too many people were getting burned by URLs like this:
http://[EMAIL PROTECTED]
-Jeff
Right but the bug wasn't basic auth in a URL it was that the %01 character
stopped Outlook and IE from displaying the rest of the URL, so
Sorry -
Mostly non-password encoded forms that don't refresh when you hit
submit. After Submitting 3 or 4 times they seem to work. Like most
ISP's, we take calls when somebody's web site doesn't work, even if we
don't even host it.
On Tue, 2004-02-03 at 12:24, Conrad Golightly wrote:
Can
I rather treat this patch as a _bug_. user:[EMAIL PROTECTED] format is used (I
have 3 or 4 instances in monitoring system, to allow automatic proxy
onto the system with 'guest' user name, for example). To block scam, it was
sufficient to restrict username length, or to set up a checkbox in
So, instead of changing 'visialization' part of IE, MS give up and decided
to drop important piece of standard?
Ok, you can always show HOST name in URL, dim user name, and position
location so that you can see real host. You can show a warning, if user name
looks like real domain name (have .
On Tue, 3 Feb 2004, Alexei Roudnev wrote:
So, instead of changing 'visialization' part of IE, MS give up and decided
to drop important piece of standard?
Placing the username and password in a URL has been deprecated for
HTTP. From RFC 2616:
3.2.2 http URL
The http scheme is
11 matches
Mail list logo