MS announces change in IE behavior

[Gordon Darling]

From NTBUGTRAQ

MS announces change in IE behavior

Date: Wed, 28 Jan 2004 12:13:52 -0800

834489 - Microsoft plans to release a software update that modifies the
default behavior of Internet Explorer for handling user information in
HTTP and HTTPS URLs:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q834489

(About frigging time - Gordon)

Regards
Gordon

 

[JanC]

From NTBUGTRAQ

MS announces change in IE behavior

Date: Wed, 28 Jan 2004 12:13:52 -0800

834489 - Microsoft plans to release a software update that modifies the
default behavior of Internet Explorer for handling user information in
HTTP and HTTPS URLs:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q834489

I think it's stupid to cripple IE URL handling while keeping the bug that
it says to fix in the program...

 

[Gordon Darling]

I think it's stupid to cripple IE URL handling while keeping the bug that
it says to fix in the program...

Nope. Agree Microsoft need to fix the original bug. BUT they are
now doing it right.


RFC 1738 - Page 8

3.3. HTTP

The HTTP URL scheme is used to designate Internet resources
accessible using HTTP (HyperText Transfer Protocol).

The HTTP protocol is specified elsewhere. This specification only
describes the syntax of HTTP URLs.

An HTTP URL takes the form:

http://<host>:<port>/<path>?<searchpart>

where <host> and <port> are as described in Section 3.1. If :<port>
is omitted, the port defaults to 80. No user name or password is
allowed.


Note the last sentence.

Regards
Gordon

 

[JanC]

Nope. Agree Microsoft need to fix the original bug. BUT they are
now doing it right.

RFC 1738 - Page 8

3.3. HTTP

The HTTP URL scheme is used to designate Internet resources
accessible using HTTP (HyperText Transfer Protocol).

The HTTP protocol is specified elsewhere. This specification only
describes the syntax of HTTP URLs.

An HTTP URL takes the form:

http://<host>:<port>/<path>?<searchpart>

where <host> and <port> are as described in Section 3.1. If :<port>
is omitted, the port defaults to 80. No user name or password is
allowed.

Note the last sentence.

RFC 1738 is obsoleted AFAICS and newer RFCs say it's "NOT RECOMMENDED" to
use name/password in a URI in general. But a new RFC for standalone http:
URIs doesn't seem to exist. Typical...

Anyway: Opera's solution is better IMHO: they show a warning popup when you
click on such a URI.

 

[Aaron]

RFC 1738 is obsoleted AFAICS and newer RFCs say it's "NOT RECOMMENDED"
to use name/password in a URI in general. But a new RFC for
standalone http: URIs doesn't seem to exist. Typical...

Anyway: Opera's solution is better IMHO: they show a warning popup
when you click on such a URI.

As for the mozilla people, they have being talking about the problem (in
general not the exploit that masks the url) since 2001! Recently, there
has being a slew of comments, discussion about half a dozen methods of
handling it and the pros and cons, but will they ever just decide to do
it??

http://bugzilla.mozilla.org/show_bug.cgi?id=122445

Aaron (my email is not munged!)

 

[Joe P]

Too bad they won't make exceptions for sites in your Trusted Sites
zone. I use these links to save time in downloading files from our
suppliers at work.

Joe

 

[Gordon Darling]

As for the mozilla people, they have being talking about the problem (in
general not the exploit that masks the url) since 2001! Recently, there
has being a slew of comments, discussion about half a dozen methods of
handling it and the pros and cons, but will they ever just decide to do
it??

http://bugzilla.mozilla.org/show_bug.cgi?id=122445

Aaron (my email is not munged!)

That's the problem with RFCs. By the time they are implemented they are
years out of date!

Regards
Gordon