search

w3c / webappsec-change-password-url

A Well-Known URL for Changing Passwords
https://w3c.github.io/webappsec-change-password-url/
Other
899 stars 27 forks source link

Consider adding a bit more detail to the generation algorithm. #2

Closed mikewest closed 5 years ago

mikewest commented 5 years ago

I'd suggest being a bit more pedantic about the URL generation algorithm. Perhaps something like:

1.  If |origin| is not a [=potentially trustworthy origin=], return failure.

2.  Assert: |origin| is a [=tuple origin=].

3.  Let |url| be a new [=URL=] with values set as follows:

    :   [=url/scheme=]
    ::  |origin|'s [=origin/scheme=]
    :   [=url/host=]
    ::  |origin|'s [=origin/host=]
    :   [=url/port=]
    ::  |origin|'s [=origin/port=]
    :   [=url/path=]
    ::  « "`.well-known`", "`change-password`" ».

4.  Return |url|.

@annevk might have opinions about whether it's better to generate URLs this way or by feeding strings into the parser (if the latter, you'll need to serialize the origin before parsing it). This seems clearer to me?

annevk commented 5 years ago

What you did there seems fine as long as you control all the relevant fields (or they come from a parsed URL).

annevk commented 5 years ago

Except that path is a list so that needs to be a little different.

mikewest commented 5 years ago

Except that path is a list so that needs to be a little different.

Ah. Yes. Editing the original to correct.