https://bz.apache.org/bugzilla/show_bug.cgi?id=66341
--- Comment #4 from briandk...@gmail.com --- This is probably a bigger discussion than this bug report, but it seems like a single on/off switch (HttpProtocolOptions) is not a great way to enable/disable so many options. I can definitely see only wanting to be able to allow usernames/passwords in URLs, without also wanting to have to allow all the other security issues mentioned in RFC 7230. In fact I'd like to be able to enable it just for FTP given that is hardly ever required for http(s) anymore. It's probably worth pointing out that RFC 7230 section 2.7.1 is specifically about http(s) URIs as well and doesn't mention ftp URIs. HTTP has other authentication options available and most sites have moved away from basic auth, so it does make sense to drop the basic auth user/password support from a forward proxy for http(s). FTP however still requires a username and password in most cases (except anonymous). If an FTP URI is being passed through a forward proxy with a username/password it seems more likely that those credentials would be required rather than an attempt to obfuscate the URI. Yes FTP is insecure but it is still used and does require credentials to be passed. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
