RFC 2616 (5.1.2) defines the request URI as:
Request-URI = "*" | absoluteURI | abs_path | authority
And imports 'absoluteURI' from RFC 2396 (3):
absoluteURI = scheme ":" ( hier_part | opaque_part )
hier_part = ( net_path | abs_path ) [ "?" query ]
opaque_part = uric_no_slash *uric
uric_no_slash = unreserved | escaped | ";" | "?" | ":" | "@" |
"&" | "=" | "+" | "$" | ","
uric = reserved | unreserved | escaped
So as you can clearly :-) see, fragments are not allowed per the ABNF rules...
---
The new HTTPbis spec had clearer ABNF rules in draft -09, but still only
restricted the fragment in ABNF.
At my request, the editors added in -10 [1]:
Note: Fragments ([RFC3986], Section 3.5) are not part of the
request-target and thus will not be transmitted in an HTTP
request.
So hopefully this is clearer now.
[1] http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-10#section-4.1.2
EHL
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of David
Stanek
Sent: Monday, August 02, 2010 6:15 PM
To: o...@gryb.info
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?
On Sun, Aug 1, 2010 at 10:47 PM, Oleg Gryb <oleg_g...@yahoo.com> wrote:
I've just verified Ruby and Perl's user agents as well: both worked as expected
- no fragments in the web log files. It adds confidence. Thanks to everyone who
has answered.
I just verified that the Python urllib client does send the fragment to the
server. I've created a patch and will be created a bug on the Python tracker.
Does anyone know what RFC actually talks about not sending the fragment? I've
seen 3986 where it explains that a fragment isn't really a part of the URI, but
it's doesn't specifically say that the client should not send it to the server.
--
David
blog: http://www.traceback.org
twitter: http://twitter.com/dstanek
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
