On Thu, Jun 11, 2020 at 09:02:54AM +0000, solderpunk wrote: > But if it's legitimate for me to declare that the gemini:// URI scheme > does not support userinfo, I'll do it in a flash. This cookie redirect > thought experiment proves that it's far too dangerous, it's just barely > better than an actual HTTP cookie (in that it's not easily sent to third > parties). By my reading of RFC 3986 (s3.2) you explicitly have that right: "Some schemes do not allow the userinfo and/or port subcomponents." > Of course, just saying it's unsupported isn't enough, because servers > can try to do it anyway, so every client now needs to explicitly check > for this and either error out or remove the userinfo. In my experience, an advanced client requires a certain amount of URL munging anyway (at least if you want to pass Sean's test suite). Saying that a client SHOULD remove any userinfo component before initiating a request is not an undue burden. But at the same time it's clearly not required for a minimally functional client. Cheers, Tom
---
Previous in thread (13 of 26): 🗣️ solderpunk (solderpunk (a) SDF.ORG)
Next in thread (15 of 26): 🗣️ Petite Abeille (petite.abeille (a) gmail.com)