[OpenID] Combining Google & Yahoo user experience research
Johnny Bufu
johnny.bufu at gmail.com
Tue Oct 21 17:30:53 UTC 2008
On Tue, Oct 21, 2008 at 08:58:13AM -0700, SitG Admin wrote:
> >RPs can, using no more than OpenID 2.0, perform OpenID discovery on
> >http(s)://user at example.com/
>
> I don't think '@' is an allowable character in domain names.
It is not part of the domain name -- the server component (== domain
name) follows it.
Per URI RFCs], the '@' character is reserved in the authority component
exactly for the purpose of delimiting the "userinfo" sub-component. See
section 3.2 about the authority syntax, in both the old [1] (referenced
by HTTP 1.1 and OpenID 2.0) and new [2] (not referenced by HTTP 1.1, as
far as I can tell) URI RFC.
So my suggestion seems to be in line with the intended purpose of URI
syntax for the authority part.
> Also, an
> older version of Internet Explorer used to interpret that as a
> pre-specified login name for authentication and would hold onto those
> values (usually two, i.e. 'username:password@') waiting for a prompt,
> but actually SEND the string AFTER the '@'. This was eventually
> removed because it posed a security problem; phishers would use URL's
> such as 'msn.com/account/login at badsite.com' and IE would simply
> ignore everything preceding the '@'!
I don't think we should really be concerned with old and flawed
implementations, not when designing new stuff anyway.
Johnny
[1] http://www.ietf.org/rfc/rfc2396.txt
[2] http://www.ietf.org/rfc/rfc3986.txt
More information about the general
mailing list