Re: automatic submission of logon/password

From: Henrik Nordstrom <[email protected]>
Date: Wed, 26 May 1999 23:52:52 +0000

Mike Batchelor wrote:
>
> I would like to point out that this is actually an illegal URL as defined by
> the relevant RFC (I'll look up the number if you really care to know).
>
> It appears that squid does the "right" thing, and composes a proper HTTP
> request from this illegal URL, and issues that to the origin web server.
> But HTTP URLs cannot contain a username or password. That's explicit in the
> RFC.

This URL format is only legal inside Squid, between a redirector and
Squid. It should not be given to users or browsers, or forwarded to
parents. Inside Squid we may temporarily break any RFCs we like, but not
on the network.

Also, due to various reasons it only works when Squid goes direct to the
origin server. (Actually it will work in a Squid 2.X hierarchy, or when
given to users using a Squid 2.X cache, but any configurations where
such URLs are sent on the wire is unsupported since it is a highly
unstandard URL format)

--
Henrik Nordstrom
Spare time Squid hacker
Received on Wed May 26 1999 - 17:42:02 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:46:27 MST