ioggstream
commented
2 years ago @aaronpk I asked to the HTTP ML and it seems there are many doubts on that point. In particular,
@bagder (curl's author) referenced this post
The current state of URLs and URIs cannot be described as anything less than a horrible mess, a security nightmare [*] and an infected area that lots of persons will not go near due to the past experiences and personal conflicts.
[*] = https://daniel.haxx.se/blog/2022/01/10/dont-mix-url-parsers/
and @royfielding wrote this interesting email https://lists.w3.org/Archives/Public/ietf-http-wg/2022AprJun/0173.html that iiuc states that
What URI (RFC3986) defines is a standard naming format that uses hierarchical name delegation to cover the entire Internet with identifiers. The WHATWG url spec defines a set of rules for interpreting references and placing them in a url data structure within browser memory. url != URL. href != URL. The spec says that this is somehow replacing URI, but it isn't even defining the same thing.
As of now, the application/x-www-form-urlencoded media type registration references the WHATWG url spec.
I think that in OAuth we should:
- consistently refer to IETF URL specifications;
- avoid interchangeably use URI and URL when pointing to a dereferenceable location (e.g. a server URL);
- only refer to WHATWG spec to reference the x-www-form-urlencoded specification.
This should minimize the security risks @bagder highlights in his post and provide a consistent language for implementers.
Since I am not a veteran of the HTTP wg, I suggest asking for a preliminary review of this spec to the HTTP chairs: I think it will really improve the security profile of this great work.
HTH, R
See also #119
There are still some references to old URI specs like RFC3986, which have since been replaced by various IETF specs as well as the WHATWG URL spec.